Articles in this section

Azure AD SSO Specific Configuration/Details

  • Updated

Basic Azure AD SAML Configuration

The following screenshot shows a typical Basic SAML Configuration for AzureAD:

mceclip0.png

Source for the above fields:

 

Azure AD field

 

Source

 

Example

 
1

Identifier (Entity id)

PainChek SSO instance “ACS URL” field

 https://prod.ap.painchek.com/api/sso/acs/109ab39c-020b-4930-802b-d06a2e4390ab/
2

Reply URL (Assertion Customer Service URL)

PainChek SSO instance “ACS URL” field

 https://prod.ap.painchek.com/api/sso/acs/109ab39c-020b-4930-802b-d06a2e4390ab/
3

Sign On URL

Hard coded

Prod: https://prod.ap.painchek.com/account/login/
Test: https://ua.ap.painchek.com/account/login/
4

Relay State

Hard coded

Prod: https://prod.ap.painchek.com/cloud-portal/dashboard/
Test: https://ua.ap.painchek.com/cloud-portal/dashboard/
5

Logout URL

n/a

Do not populate

Azure AD User Attributes & Claims

The following screenshot shows the typical Attributes and Claims for AzureAD:

mceclip1.png

Notes:

  • The exact claims used will depend on how you decide to configure the PainChek SSO integration

  • The above configuration is one that relies on AD groups (i.e. the IDPGroupIDs claim) to provide role and site details

Editing Claims

Edit the existing claims by renaming the claim [1] and removing the namespace [2], as per the documentation supplied by PainChek - e.g.:

mceclip2.png

Adding Group Claims

If you are using AD Groups to provide role and/or site details to PainChek, you will need to add a claim for the Security Groups you have configured in Active Directory (please note that this example is for an on-premise / Azure hybrid environment). Start by clicking ‘Add a Group Claim’ from the top of the page.

Set the group type [1], the source attribute [2] (see below) and the claim name [3] (set to IDPGroupIds):

mceclip3.png

Source Attribute

The source attribute for a group would generally be sAMAAccountName, but it can be any other unique group attribute (it could be the objectGUID for instance). You can view the attribute names in an on-premise Active Directory per the below screenshot:

mceclip0.png

mceclip4.pngOnce you have configured the groups in AzureAD, you need to provide the source attribute value for each role and/or site to the PainChek support team so they can record the value against the corresponding PainChek records. e.g. in the example above, sAMAAccountName is used as the source attribute, and so the value of SG_APP_PainChek_AdminRole needs to be recorded against the PainChek admin role.

PainChek SSO Configuration

When configuring SSO in PainChek, there are a number of Azure AD sourced fields required

 
 

PainChek SSO Instance field

 

Azure AD Source

 

Example

 
1

IDP Metadata URL

App Federation Metadata URL

https://login.microsoftonline.com/96f6375b-974a-4334-a32f-881844f8f8aa/federationmetadata/2007-06/federationmetadata.xml?appid=61f02857-de60-424a-b572-8502715f5aaa
2

IDP Certificate

Certificate (Base64)
mceclip4.png

Note we are after the contents between
-----BEGIN CERTIFICATE----- and
-----END CERTIFICATE-----
3

IDP Entity Id

Azure AD Identifier

https://sts.windows.net/96f6375b-974a-4334-a32f-881844f8f8aa/
4

IDP SSO URL

Login URL

https://login.microsoftonline.com/96f6375b-974a-4334-a32f-881844f8f8aa/saml2


The above fields are sourced from the Azure AD setup form as shown below (with the numbers below correspond to numbers in the above table):

mceclip5.png

Related articles