Practice Single Sign On SAML Overview

Document created by Tyler Clark Employee on Apr 9, 2018Last modified by Kyle Spencer on Oct 3, 2019
Version 4Show Document
  • View in full screen mode

Currently, Practices only supports the use of SAML as a way to provide Single Sign-On (SSO) to clients.

Overview

SAML (Security Assertion Markup Language) is an open-standard data format for exchanging authentication and authorization data between parties, in particular between an identity provider and a service provider.

Materials

Terminology

TermDefinition
IDP (Identity provider)Centralized storage of user IDs (a.k.a. federated ID store)
Service ProviderPractice is a service provider.

SAML SSO URL or Identity Provider Single Sign-On URL

Where the user is redirected when they log in. This is a field in the Practice Org settings. The client provides this information.
ISSUER or entityIDAny entity implementing SAML profiles is required to identify itself using an entityID.  This is a field in the Practice Org settings. The client provides this information.
Deep linking or RelayStateIs a parameter of the SAML protocol that is used to identify the specific resource the user will access after they are signed in and directed to the relying party's federation server. Simply, a link that takes you to a specific page in Practice (E.G., see your peer feedback)
Practice Entity IDhttps://practice.xyz/
SSO Login Endpoint or Assertion Consumer Service URL:https://app.practice.xyz/sso/saml/consume

 

Supported Identity Providers

  • OKTA
  • Ping
  • Siteminder
  • Onelogin
  • Unique, as long as it implemented the SAML 2.0 specification it works

 

Requirements

 

To successfully configure you will need:

 

Attribute NameAttribute DetailsAttribute Value
User.primaryEmailAddressThe user’s email addressRequired,Must be a valid email, Must match a current Practice user or a new account will be created.
User.fullNameThe user's full name.Required, Should be Users Full Name, Will update with every log-in unless the value match.
User.preferredTimeZoneThe user's preferred time zone.Optional. Must be one of  America/New_York, US/Central, US/Mountain, US/Arizona, US/Pacific, US/Alaska, US/Hawaii, UTC Will update with every log-in unless the value match.
OrganizationMembership.roleNameThe user's role in the organization.Optional. Must be one of ADMIN, COORDINATOR, MEMBER. Unless the value sent in the assertion matches what is in Practice, it will cause a login error.

 

 

For your Practice IC to finish the configuration you will need to provide:

  • The info in this Questionnaire doc
  • An IdP Metadata file, or:
    • SAML IdP Entity ID
    • SAML Certificate Fingerprint or X509 Certificate

 

Configuration

IC enables SAML for the client Org in the Internal Admin Pane

Practice_and_practice_xyz_Pass_—___Google_Drive_Code.png

  • Enable the SAML toggle Note It turns blue when on.

Practice.png

  • Click Done

Visit the Organization's Settings

  • Click SAML SSO

Practice_SSO.png

  • Set the SAML SSO URL
    • This value is Identity Provider Single Sign-On URL.
  • Set the Issuer
    • This value is the Identity Provider Issuer or entityID.
  • Set the Public Certificate
    • This value is the X.509 cert with the header

 

Authentication and Workflow

Practice currently supports IDP initiated log-in :

  • IDP initiated: Someone clicks a link that they build in IDP
  • Service Provider Initiated Launch: Service Provider initiated launch or SP initiated launch is handled via the following URL  https://app.practice.xyz/saml/login?issuer={issuer/entity id}, Practice will not redirect from the /organizations/{org id} URL
  • Mobile App: User is prompted for company code also known as the entityID

IMG_1104.PNG

1 person found this helpful

Attachments

    Outcomes