SAML 2 SSO Integration

Tendo Marketplace (MDsave) allows users to use Single Sign On (SSO) to log in to mdsave.com more easily and quickly than using an email and password. This is more secure.

Tendo Marketplace can be configured as a Service Provider to integrate with an external Identity Provider using SAML 2 protocol to allow users to log into Tendo Marketplace using an active session from their IdP (such as Active Directory, Imprivata, etc). This is a generic guide for configuring an Identity provider to connect to MDsave as a service provider through SAML 2.0.

If you’re interested in enabling single sign-on for your organization, contact your Tendo Marketplace account manager.

Current Options

SAML SSO through an Identity Provider (such as Okta, Imprivata, Active Directory)

Tendo allows users to configure their identity provider to log in users directly to MDsave without using a password.

This works using the SAML 2 protocol.

FHIR SSO (through Epic)

Tendo allows users to use FHIR SSO to log in to MDsave through their Electronic Health Record (EHR). Currently, we only support Epic.

Configuring the Identity Provider

Here are the values that need to be configured in the IdP. The raw XML containing all this information can be retrieved directly using this URL: https://www.mdsave.com/saml/metadata/{idp_key}

A SAML2 service provider will need to be configured in the external IdP with these values:

  • Identifier/Entity Id

    • https://www.mdsave.com/sp

      Reply URL (Consumer/Service Callback URL)

    • https://www.mdsave.com/saml/callback/{idp_key}

      Sign on URL (optional)

    • https://www.mdsave.com/saml/init/{idp_key}

      Relay State (optional)

    • N/A

      Logout URL (optional)

    • N/A

Notes:

  1. Tendo expects the user's email address to be mapped to the nameid field of the SAML claim, but this is the only user identifier that is required.
  2. Tendo expects the SAML response to be signed with a certificate that will need to be provided to Tendo to complete configuration.

Configuration needed by Tendo

A similar configuration process is needed by Tendo to complete the integration. The following values are needed from the Identity Provider.

  • Identifier/Entity Id
  • SSO URL
  • x509 Certificate used to sign SAML responses

Testing

Once it has been configured, we can test the SSO connection end-to-end:

  1. Find a user that has an account provisioned with Tendo with the same email used in their external IdP login.

    Ensure the user is logged out of mdsave.com in their browser

    Have the user go to this URL in their browser

    1. https://www.mdsave.com/saml/init/wellspan
  2. Validate that the user is logged in to mdsave.com after all of the redirects (logging into the IdP if needed).

How to Use

  1. The SSO initiator URL (https://www.mdsave.com/saml/init/wellspan) can be bookmarked in a user’s browser or their system landing page, etc. Clicking this link will launch the SSO connection and will log the user directly into Tendo Marketplace if they are provisioned with an account that matches their email address.
  2. The SSO connection also can be launched directly from mdsave.com. In the Sign-in dropdown, if a user uses an email address that is tied to the IdP, Tendo Marketplace can be configured to ask the user if they want to sign in using SSO. If they choose that option, the SSO process will be initiated and the user will be signed in using the external IdP using the SAML connection.

Questions/Issues

Please feel free to reach out to Tendo Support, or your account manager if you have questions, issues, or for future maintenance requests (certificate rotation, etc).

Tendo Marketplace supports SAML single sign-on for customers using a variety of identity providers.

Prerequisites

MDsave will work with versions of AD FS that support SAML-based single sign-on. Before starting, be sure you meet the following requirements:

An Active Directory where all users have an email address. This address will be used as their mdsave.com login.

  • A server running Microsoft Server 2008 or 2012.
  • An SSL certificate to sign your AD FS login page.

Install AD FS

If you do not already have Active Directory Federation Services configured for your organization, you’ll need to do so before proceeding. You can use this Microsoft KB article to get started if needed.

When you install AD FS, note the following:

  • The thumbprint of the SSL certificate you use for token signing.
  • The “SAML 2.0/WS-Federation” URL from the Endpoints section of the AD FS service configuration. The default value for this URL is “/adfs/ls”.

Create a New Relying Party Trust

Adding a relying party trust configures AD FS to provide information about authenticated users to Tendo Marketplace in order to log them into their accounts. Complete the following steps to create a Relying Party Trust:

  1. From Server Manager, select Tools > AD FS Management.
  2. In the AD FS manager, expand AD FS and Trust Relationships in the Console Tree and then select Relying Party Trusts.
  3. Select “Add Relying Party Trust…” in the Action Pane.
  4. In the wizard that follows, select “Enter data about the relying party manually”.
  5. Enter “MDsave Direct” as the display name.
  6. Select “AD FS Profile” as the configuration profile.
  7. Click “Next” on the configure certificate step (all claims will be sent via SSL even without a custom certificate)
  8. Check “Enable support for the SAML 2.0 WebSSO protocol” and enter “https://www.mdsave.com/saml/callback” as the service URL.
  9. Enter “https://www.mdsave.com/sp” as the Relying Party Trust Identifier.
  10. Skip enabling multi-factor authentication. (You may use multi-factor authentication, but configuration support is not provided.)
  11. Select “Permit all users to access the relying party”. (You may use more fine-grained permissions if desired, but configuration support is not provided.)
  12. Review the configuration on the final screen of the wizard, and check the “Open the Edit Claims Rules dialog…” box before proceeding.

Configure AD FS to Use Email Addresses as Usernames

MDsave Direct uses email addresses as the primary username. You must configure AD FS to populate the User ID assertion with the email address from Active Directory.

  1. In the “Issuance Transform Rules” tab of the Claim Rules dialog, select “Add Rule…”
  2. Select the “Send LDAP Attributes as Claims” option.
  3. Enter “LDAP Email” as the rule name, “Active Directory” as the attribute store, “E-Mail-Addresses” as the LDAP attribute, and “E-Mail Address” as the corresponding outgoing claim type. Select OK.
  4. Select “Add Rule…” again and select the “Transform an Incoming Claim” option.
  5. Enter “Email Transform” as the rule name, “E-Mail Address” as the incoming claim type, “Name ID” as the outgoing claim type, and “Email” as the outgoing claim ID format.

Configure Single Sign Out (In Development)

Note that MDsave does not yet support single sign out, and these settings are in development. However, adding these settings now will enable you to use single sign out when it is released.

If you would like users to be able to logout from Tendo Marketplace when they log out of AD FS, complete the following:

  1. Select “MDsave Direct” within Trust Relationships > Relying Party Trusts.
  2. Select “Properties” from the Action Pane or by right-clicking.
  3. Select the “Endpoints” tab.
  4. Select “Add SAML”.
  5. Select “SAML Logout” as the endpoint type.
  6. Select “Redirect” for the binding type.
  7. Enter your service URL with the parameter “wa=wsignout1.0”, e.g., https://<your server url>/adfs/ls?wa=wsignout1.0.
  8. Enter https://www.mdsave.com/user/logout for the “Response URL”.

Enable Any Desired Authentication Policies

Allowing users to login via a web form using their Active Directory credentials, in addition to integrating with Windows login, is necessary if the web browser that your employees use to access Tendo Marketplace does not support Windows integrated login.

  1. In the AD FS Manager, select AD FS and then Authentication Policies in the Console Tree.
  2. Select “Edit Global Primary Authentication…” in the Action Pane.
  3. Enable “Forms Authentication” as desired.

If you are using “Windows Authentication”, you also should ensure that your user’s browsers are set up to use Windows Integrated Authentication (default for IE, needs to be enabled for Chrome and Firefox), that your AD FS server is included in the Intranet zone for Internet Explorer, and that automatic login is enabled. Browser configuration is beyond the scope of this guide, but you may find this article from Microsoft useful.

Provide Configuration Settings to MDsave

At this point, Tendo will enter your configuration settings to complete the SSO configuration. Provide the following to your Tendo account manager.

  • The fingerprint of the certificate you used to set up AD FS. (You can get this by entering Get-AdfsCertificate in Windows Power Shell on the Windows Server instance and finding the fingerprint of the Token-Signing certificate.)
  • The SSO URL for your AD FS server. This will be something like https://<your server url>/adfs/ls.

Conduct Acceptance Testing

Once Tendo has applied your configuration, your account manager will reach out to schedule an acceptance testing session. At the conclusion of this session, you’ll be provided with a URL that you can use to initiate login to Tendo Marketplace using your custom SSO endpoint.