Practice Single Sign On SAML Overview Follow
Currently, Practices only supports the use of SAML as a way to provide Single Sign-On (SSO) to clients.
Overview
SAML (Security Assertion Markup Language) is an open-standard data format for exchanging authentication and authorization data between parties, in particular between an identity provider and a service provider.
Terminology
| Term | Definition |
|---|---|
|
IDP (Identity provider) |
Centralized storage of user IDs (a.k.a. federated ID store) |
|
Service Provider |
Practice is a service provider. |
|
SAML SSO URL or Identity Provider Single Sign-On URL |
Where the user is redirected when they log in. This is a field in the Practice Org settings. The client provides this information. |
|
ISSUER or entityID |
Any entity implementing SAML
profiles is required to identify itself using an entityID. This is a
field in the Practice Org settings. The client provides this
information. |
|
Practice Entity ID |
https://practice.xyz |
|
SSO Login Endpoint or Assertion Consumer Service URL |
https://app.practice.xyz/sso/saml/consume |
Supported Identity Providers
- Ping
- Siteminder
- Onelogin
- Unique, as long as it implemented the SAML 2.0 specification it works
Requirements
To successfully configure you will need:
- A SAML service
- Practice Assertion Consumer Service URL: https://app.practice.xyz/sso/saml/consume
- Practice SP Entity Id: https://practice.xyz
- The IDP Should include additional ATTRIBUTE STATEMENTS in Assertions sent to Practice
| Attribute Name | Attribute Details | Attribute Value |
|---|---|---|
|
OrganizationMembership.roleName |
The user's role in the organization. |
Optional. Must be one of ADMIN, COORDINATOR, MEMBER. Unless the value sent in the assertion matches what is in Practice, it will cause a login error. |
|
User.fullName |
The user’s full name. |
Required, Should be Users Full Name, Will update with every log-in unless the value match. |
|
User.preferredTimeZone |
The user’s preferred time zone. |
Optional. Must be one of America/New_York, US/Central, US/Mountain, US/Arizona, US/Pacific, US/Alaska, US/Hawaii, UTC Will update with every log-in unless the value match. |
| User.primaryEmailAddress |
The user’s email address. |
Required, Must be a valid email, Must match a current Practice user or a new account will be created. |
For your Practice IC to finish the configuration you will need to provide:
- The info in this Questionnaire doc
- An IdP Metadata file, or:
- SAML IdP Entity ID
- SAML Certificate Fingerprint or X509 Certificate
Authentication and Workflow
Practice currently supports IDP initiated log-in :
- IDP initiated: Someone clicks a link that they build in IDP
- Service Provider Initiated Launch: Service Provider initiated launch or SP initiated launch is handled via the following URL https://app.practice.xyz/saml/login?issuer={issuer/entity id}, Practice will not redirect from the /organizations/{org id} URL
- Mobile App: User is prompted for company code also known as the entityID
Comments
0 comments
Please sign in to leave a comment.