on Apr 9, 2018Currently, Practices only supports the use of SAML as a way to provide Single Sign-On (SSO) to clients.
Overview
SAML (Security Assertion Markup Language) is an open-standard data format for exchanging authentication and authorization data between parties, in particular between an identity provider and a service provider.
Materials
- SAML Client Questionnaire: https://docs.google.com/document/d/1He_AmNWjXbVRMw8Xu8NKKHL9SaTkQl8xtvpbCaBfuTQ/edit#heading=h.kly9mtu5lclz
- SAML Errors: https://docs.google.com/document/d/1KOP_U5PbOHQyAcq-x4E51pe7LgYBH6VNJ06ULbjORg4/edit
Terminology
| Term | Definition |
|---|---|
| IDP (Identity provider) | Centralized storage of user IDs (a.k.a. federated ID store) |
| Service Provider | Practice is a service provider. |
SAML SSO URL or Identity Provider Single Sign-On URL | Where the user is redirected when they log in. This is a field in the Practice Org settings. The client provides this information. |
| ISSUER or entityID | Any entity implementing SAML profiles is required to identify itself using an entityID. This is a field in the Practice Org settings. The client provides this information. |
| Practice Entity ID | https://practice.xyz |
| SSO Login Endpoint or Assertion Consumer Service URL: | https://app.practice.xyz/sso/saml/consume |
Supported Identity Providers
- OKTA
- Ping
- Siteminder
- Onelogin
- Unique, as long as it implemented the SAML 2.0 specification it works
Requirements
To successfully configure you will need:
- A SAML service
- Practice Assertion Consumer Service URL: https://app.practice.xyz/sso/saml/consume
- Practice SP Entity Id: https://practice.xyz
- The IDP Should include additional ATTRIBUTE STATEMENTS in Assertions sent to Practice
| Attribute Name | Attribute Details | Attribute Value |
|---|---|---|
| User.primaryEmailAddress | The user’s email address | Required,Must be a valid email, Must match a current Practice user or a new account will be created. |
| User.fullName | The user's full name. | Required, Should be Users Full Name, Will update with every log-in unless the value match. |
| User.preferredTimeZone | The user's preferred time zone. | Optional. Must be one of America/New_York, US/Central, US/Mountain, US/Arizona, US/Pacific, US/Alaska, US/Hawaii, UTC Will update with every log-in unless the value match. |
| OrganizationMembership.roleName | The user's role in the organization. | Optional. Must be one of ADMIN, COORDINATOR, MEMBER. Unless the value sent in the assertion matches what is in Practice, it will cause a login error. |
For your Practice IC to finish the configuration you will need to provide:
- The info in this Questionnaire doc
- An IdP Metadata file, or:
- SAML IdP Entity ID
- SAML Certificate Fingerprint or X509 Certificate
Configuration
IC enables SAML for the client Org in the Internal Admin Pane
- https://system-admin.practice.xyz/organizations
- Click the Settings Icon and Select View Integration
- Enable the SAML toggle Note It turns blue when on.
- Click Done
Visit the Organization's Settings
- Click SAML SSO
- Set the SAML SSO URL
- This value is Identity Provider Single Sign-On URL.
- Set the Issuer
- This value is the Identity Provider Issuer or entityID.
- Set the Public Certificate
- This value is the X.509 cert with the header
Authentication and Workflow
Practice currently supports IDP initiated log-in :
- IDP initiated: Someone clicks a link that they build in IDP
- Service Provider Initiated Launch: Service Provider initiated launch or SP initiated launch is handled via the following URL https://app.practice.xyz/saml/login?issuer={issuer/entity id}, Practice will not redirect from the /organizations/{org id} URL
- Mobile App: User is prompted for company code also known as the entityID
1 person found this helpful