Note
The PainChek App does not support a pop up window for SSO Authentication
To create a SAML integration with PainChek in OKTA, create a new app integration selecting the SAML option:
In the SAML settings, configure the Single sign on URL, Audience URI (SP Entity ID) and Default RelayState:
OKTA field |
Source |
Example |
---|---|---|
Single sign on URL |
PainChek SSO instance “ACS URL” field |
https://prod.ap.painchek.com/api/sso/acs/109ab39c-020b-4930-802b-d06a2e4390ab/ |
Audience URI (SP Entity ID) |
PainChek SSO instance “ACS URL” field |
https://prod.ap.painchek.com/api/sso/acs/109ab39c-020b-4930-802b-d06a2e4390ab/ |
Default RelayState |
PainChek SSO instance “ACS URL” field |
Production Server:https://prod.ap.painchek.com/cloud-portal/dashboard/ UAT Server:https://ua.ap.painchek.com/cloud-portal/dashboard/ |
Configure individual attributes for email, first name and last name, and establish one group based attribute:
Individual attributes:
Attribute Name (as required by PainChek) |
Value (OKTA data source) |
---|---|
|
user.email |
FirstName |
user.firstName |
LastName |
user.lastName |
Group attributes:
Attribute Name (as required by PainChek) |
Filter |
---|---|
IDPGroupIds |
optional |
Note
-
PainChek relies on 2 sets of group data. One set controls the role assigned to the user and one controls the the sites assigned to the user.
-
You can use a filter if required to limit the groups sent to PainChek. A filter is not required and PainChek will ignore groups unknown to it
-
Users that require access to PainChek will have to be assigned access to the app integration being created as part of this process. Those users will also have to be assigned membership to the appropriate groups - they must be assigned to exactly one of the PainChek roles and they must be assigned to one or more of the PainChek sites.
Once the attributes are configured, click Next to be taken to the Feedback step.
Once you’ve answered the questions (the responses do not impact the integration with PainChek), click Finish
.
When configuring SSO in PainChek, there are a number of OKTA sourced fields required
PainChek SSO Instance field |
OKTA Source |
Example |
---|---|---|
IDP Entity Id |
Identity Provider Issuer |
|
IDP Metadata URL |
See below |
https://painchek.okta.com/app/exk1giadkaco6NlWH697/sso/saml/metadata |
IDP SSO URL |
Identity Provider Single Sign-On URL |
https://painchek.okta.com/app/painchek_painchekssouat_1/exk1giadkaco6NlWH697/sso/saml |
IDP Certificate |
X.509 Certificate |
Note we are after the contents between -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- NB: The certificate is allowed to contain newline characters |
The above fields are sourced from the SAML Setup Instructions, available on the “Sign On” tab for the application:
On that tab, scroll down until you see the View SAML Setup Instructions
button.
Clicking on that like will display a page with items 1, 2 and 4 available.