Note
The PainChek App does not support a pop up window for SSO Authentication
The following screenshot shows a typical Basic SAML Configuration for AzureAD:
Source for the above fields:
Azure AD field |
Source |
Example |
|
---|---|---|---|
1 |
Identifier (Entity id) |
PainChek SSO instance “ACS URL” field |
https://prod.ap.painchek.com/api/sso/acs/109ab39c-020b-4930-802b-d06a2e4390ab/ |
2 |
Reply URL (Assertion Customer Service URL) |
PainChek SSO instance “ACS URL” field |
https://prod.ap.painchek.com/api/sso/acs/109ab39c-020b-4930-802b-d06a2e4390ab/ |
3 |
Sign On URL |
Hard coded |
Production Server: https://prod.ap.painchek.com/account/login/ UAT Server: https://ua.ap.painchek.com/account/login/ |
4 |
Relay State |
Hard coded |
Production Server: https://prod.ap.painchek.com/cloud-portal/dashboard/ UAT Server: https://ua.ap.painchek.com/cloud-portal/dashboard/ |
5 |
Logout URL |
n/a |
Do not populate |
The following screenshot shows the typical Attributes and Claims for AzureAD:
Notes:
-
The exact claims used will depend on how you decide to configure the PainChek SSO integration
-
The above configuration is one that relies on AD groups (i.e. the
IDPGroupIds
claim) to provide role and site details
Edit the existing claims by renaming the claim [1] and removing the namespace [2], as per the IdP Group available here - e.g.:
If you are using AD Groups to provide role and/or site details to PainChek, you will need to add a claim for the Security Groups you have configured in Active Directory (please note that this example is for an on-premise / Azure hybrid environment). Start by clicking ‘Add a Group Claim’ from the top of the page.
Set the group type [1], the source attribute [2] (see below) and the claim name [3] (set to IDPGroupIds
):
You will need to ensure that the SAML signing option is appropriately set. Enter edit mode:
… and change the Signing Option
to Sign SAML Response
:
When configuring SSO in PainChek, there are a number of Azure AD sourced fields required
PainChek SSO Instance field |
Azure AD Source |
Example |
|
---|---|---|---|
1 |
IDP Metadata URL |
App Federation Metadata URL |
|
2 |
IDP Certificate |
Certificate (Base64) |
Note we are after the contents between -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- |
3 |
IDP Entity Id |
Azure AD Identifier |
https://sts.windows.net/96f6375b-974a-4334-a32f-881844f8f8aa/ |
4 |
IDP SSO URL |
Login URL |
https://login.microsoftonline.com/96f6375b-974a-4334-a32f-881844f8f8aa/saml2 |
The above fields are sourced from the Azure AD setup form as shown below (with the numbers below correspond to numbers in the above table):