Basic Azure AD SAML Configuration
The following screenshot shows a typical Basic SAML Configuration for AzureAD:
Source for the above fields:
1 |
Identifier (Entity id) |
PainChek SSO instance “ACS URL” field |
https://prod.ap.painchek.com/api/sso/acs/109ab39c-020b-4930-802b-d06a2e4390ab/ |
2 |
Reply URL (Assertion Customer Service URL) |
PainChek SSO instance “ACS URL” field |
https://prod.ap.painchek.com/api/sso/acs/109ab39c-020b-4930-802b-d06a2e4390ab/ |
3 |
Sign On URL |
Hard coded |
Production Server: https://prod.ap.painchek.com/account/login/ |
4 |
Relay State |
Hard coded |
Production Server: https://prod.ap.painchek.com/cloud-portal/dashboard/ |
5 |
Logout URL |
n/a |
Do not populate |
Azure AD User Attributes & Claims
The following screenshot shows the typical Attributes and Claims for AzureAD:
Notes:
-
The exact claims used will depend on how you decide to configure the PainChek SSO integration
-
The above configuration is one that relies on AD groups (i.e. the
IDPGroupIDs
claim) to provide role and site details
Editing Claims
Edit the existing claims by renaming the claim [1] and removing the namespace [2], as per the documentation supplied by PainChek - e.g.:
Adding Group Claims
If you are using AD Groups to provide role and/or site details to PainChek, you will need to add a claim for the Security Groups you have configured in Active Directory (please note that this example is for an on-premise / Azure hybrid environment). Start by clicking ‘Add a Group Claim’ from the top of the page.
Set the group type [1], the source attribute [2] (see below) and the claim name [3] (set to IDPGroupIds
):
Source Attribute
The source attribute for a group would generally be sAMAAccountName
, but it can be any other unique group attribute (it could be the objectGUID
for instance). You can view the attribute names in an on-premise Active Directory per the below screenshot:
Once you have configured the groups in AzureAD, you need to provide the source attribute value for each role and/or site to the PainChek support team so they can record the value against the corresponding PainChek records. e.g. in the example above,
sAMAAccountName
is used as the source attribute, and so the value of SG_APP_PainChek_AdminRole
needs to be recorded against the PainChek admin
role.
Azure AD SAML Signing Certificate
You will need to ensure that the SAML signing option is appropriately set. Enter edit mode:
… and change the Signing Option
to Sign SAML Response
:

PainChek SSO Configuration
When configuring SSO in PainChek, there are a number of Azure AD sourced fields required
PainChek SSO Instance field |
Azure AD Source |
Example |
|
---|---|---|---|
1 |
IDP Metadata URL |
App Federation Metadata URL |
|
2 |
IDP Certificate |
Certificate (Base64) |
![]() Note we are after the contents between |
3 |
IDP Entity Id |
Azure AD Identifier |
https://sts.windows.net/96f6375b-974a-4334-a32f-881844f8f8aa/ |
4 |
IDP SSO URL |
Login URL |
https://login.microsoftonline.com/96f6375b-974a-4334-a32f-881844f8f8aa/saml2 |
The above fields are sourced from the Azure AD setup form as shown below (with the numbers below correspond to numbers in the above table):