Note
The PainChek App does not support a pop up window for SSO Authentication
The PainChek App does not support a pop up window for SSO Authentication
The general PainChek SSO configuration is documented here: Configuring Client SSO
The following screenshots show an example of a working PainChek ADFS SSO integration. Some of the configuration is ADFS specific and is not documented elsewhere, so it is important to ensure all steps documented in this guide are followed.
To set up SSO for ADFS, there are three main steps:
-
create and configure a Relying Party Trust
-
create and configure claim rules for the Relying Party Trust
-
configure the signing
During the Select Data Source section, select "Enter data about the relying party manually".
ADFS Configuration starts with create a “PainChek” Relying Party Trust record - e.g.:
You can view and configure the “PainChek” Relying Party Trust properties by selecting the PainChek and selecting the Properties
option:
Add a SAML endpoint, configured with the ACS URL
supplied by PainChek:
Ensure the Secure hash algorithm
is SHA-256
Set the Display name
to PainChek
(or something suitable) and add the ACS URL
supplied by PainChek as a Relying party identifier
:
Once the PainChek” Relying Party Trust record is created, the next step is to configure the claim rules.
You can view and configure the “PainChek” Relying Party Trust Claim Rules by selecting the PainChek and selecting the Edit Claim Rules...
option:
Two rules are required for ADFS - User Attributes
and Transform NameId:
This is the claim that you use to configure the claims that PainChek requires - see Configuring Client SSO for a list of the claims.
Create this rule using the Send LDAP Attributes as Claims
rule template.
Populate the fields as follows:
-
Claim rule name:
User Attribute
(you can name this as you see fit) -
Attribute store:
Active Directory
-
Mapping of LDAP attributes to outgoing types: This will vary depending on which claims you are sending to PainChek, but a typical set of claims is:
LDAP Attribute |
Outgoing Claim Type |
---|---|
E-Mail-Addresses |
|
Given-Name |
FirstName |
Surname |
LastName |
Token-Groups - Unqualified Names |
IDPGroupIds |
Title |
JobTitle |
This is a claim that is needed to provide the NameId
claim to PainChek.
Note
The reason this transformation is needed is to ensure the claim included in the correct (i.e. the <Subject>
) section of the payload submitted to PainChek. Simply adding the NameId
claim to the list of attributes in the User Attribute
claim rule will not work as those attributes appear in the <AttributeStatement>
section of the payload).
Create this rule using the Transform an Incoming Claim
rule template.
Populate the fields as follows:
-
Claim rule name:
Transform NameId
(you can name this as you see fit) -
Incoming Claim Type:
UPN
-
Outgoing Claim Type:
Name Id
-
Outgoing name Id format:
UPN
-
Pass through all claim values: selected
A certificate must be used to sign the claims sent to PainChek (so we can authenticate the data we receive can be trusted). A signing certificate is managed under under Service
→ Certificates
→ Add Token-Signing certificate
.
When configuring SSO in PainChek, there are a number of ADFS sourced fields required. These can be sourced as follows:
PainChek SSO Instance field |
AFDS Source |
Example |
---|---|---|
IDP Metadata URL |
https://< hostname >/federationmetadata/2007-06/federationmetadata.xml (see also the IDP Metadata URL section below) |
https://organisation.com/federationmetadata/2007-06/federationmetadata.xml |
IDP Certificate |
The Token-Signing certificate (Base64) |
Note we are after the contents between -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- |
IDP Entity Id |
Extract from the |
http://fs.organisation.com.au/adfs/services/trust |
IDP SSO URL |
https://< hostname >/adfs/ls. This value can be checked by looking for the |
https://organisation.com/adfs/ls |
Note
The metadata XML file can be downloaded by accessing the IDP Metadata URL from any browser.