Note
Note: The PainChek app does not support a pop‑up window for SSO authentication. Launch the SSO flow in the same browser tab.
A typical Basic SAML configuration in Microsoft Entra ID (formerly Azure AD):
Table 1. Fields & Sources
|
Entra ID Field |
Source in PainChek |
Data |
|
|---|---|---|---|
|
1 |
Identifier (Entity ID) |
PainChek SSO instance ACS URL |
Example only: https://prod.ap.painchek.com/api/sso/acs/109ab39c-020b-4930-802b-d06a2e4390ab/ |
|
2 |
Reply URL (Assertion Consumer Service URL) |
PainChek SSO instance ACS URL |
Example only: https://prod.ap.painchek.com/api/sso/acs/109ab39c-020b-4930-802b-d06a2e4390ab/ |
|
3 |
Sign‑on URL |
Hard‑coded |
Production: https://prod.ap.painchek.com/account/login/ UAT: https://ua.ap.painchek.com/account/login/ |
|
4 |
Relay State |
Hard‑coded |
Production: https://prod.ap.painchek.com/cloud-portal/dashboard/ UAT: https://ua.ap.painchek.com/cloud-portal/dashboard/ |
|
5 |
Logout URL |
n/a |
Do not populate |
The exact claims depend on how you choose to pass role and site details to PainChek. The example below assumes you use Entra ID groups to provide these details via a custom claim named IDPGroupIds.
When using groups for role/site mapping, you should use sAMAccountName for PainChek role/site resolution.
In the enterprise application, open Single sign‑on → User Attributes & Claims → Add a group claim:
-
Select Security Group
-
ID format / Source attribute: select sAMAccountName.
-
Name the claim IDPGroupIds (exact, case‑sensitive).
Note
If you have trouble using the sAMAccountName attribute, Group ID can be used instead.
If starting from an existing application template, edit the claims so that:
-
The claim name matches the expected PainChek claim.
-
Clear anything in the Namespace section.
-
Add the Source attribute.
Ensure the SAML signing option is correctly set:
-
Signing option: Sign SAML Response (PainChek expects the assertion to be within a signed response).
|
PainChek SSO Field |
Entra ID Source |
Data |
|
|---|---|---|---|
|
1 |
IDP Metadata URLApp Federation Metadata URL |
App Federation Metadata URL |
Example: https://login.microsoftonline.com/96f6375b-974a-4334-a32f-881844f8f8aa/federationmetadata/2007-06/federationmetadata.xml?appid=61f02857-de60-424a-b572-8502715f5aaa |
|
2 |
IDP Certificate |
Certificate (Base64) |
Paste the contents between -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- |
|
3 |
IDP Entity ID |
Microsoft Entra Identifier |
Example: https://sts.windows.net/96f6375b-974a-4334-a32f-881844f8f8aa/ |
|
4 |
IDP SSO URL |
Login URL |
Example: https://login.microsoftonline.com/96f6375b-974a-4334-a32f-881844f8f8aa/saml2 |
The above fields are sourced from the Azure AD setup form as shown below (with the numbers below correspond to numbers in the above table):
-
Groups not mapping in PainChek: Verify the IDPGroupIds claim is present and contains UUIDs (Entra object IDs) separated as configured (e.g., space or comma). If you see names, you’ve selected the wrong source attribute.
-
NameID / Subject issues: Ensure the primary user identifier you send (UPN/email) matches a user in PainChek.
-
Signature errors: Confirm the SAML Response is signed and that the IDP Certificate in PainChek matches your Entra certificate.