SAML 2 SSO Integration

Tendo Marketplace allows users to use single sign-on (SSO) to log in to mdsave.com.

Tendo Marketplace can be configured as a Service Provider to integrate with an external Identity Provider using SAML 2 protocol to allow users to log into Tendo Marketplace using an active session from their IdP (such as Active Directory, Imprivata, etc). This is a generic guide for configuring an Identity provider to connect to Tendo Marketplace as a service provider through SAML 2.0.

If you’re interested in enabling single sign-on for your organization, contact your Tendo Marketplace account manager.

IN THIS ARTICLE

Current Options

Configuring the Identity Provider

Configuration Needed by Tendo

Testing

How to Use

Questions/Issues

Current Options

SAML SSO through an Identity Provider (such as Okta, Imprivata, Active Directory)

Tendo Marketplace allows users to configure their identity provider to log in users directly to mdsave.com without using a password.

This works using the SAML 2 protocol.

FHIR SSO (through Epic)

Tendo Marketplace allows users to use FHIR SSO to log in to mdsave.com through their Electronic Health Record (EHR). Currently, we only support Epic.

Configuring the Identity Provider

Here are the values that need to be configured in the IdP. The raw XML containing all this information can be retrieved directly using this URL: https://www.mdsave.com/saml/metadata/{idp_key}

A SAML2 service provider will need to be configured in the external IdP with these values:

  • Identifier/Entity Id

    • https://www.mdsave.com/sp  

      Reply URL (Consumer/Service Callback URL)

    • https://www.mdsave.com/saml/callback/{idp_key}  

      Sign on URL (optional)

    • https://www.mdsave.com/saml/init/{idp_key}  

      Relay State (optional)

    • N/A

      Logout URL (optional)

    • N/A

Notes:

  1. Tendo expects the user's email address  to be mapped to the nameid  field of the SAML claim, but this is the only user identifier that is required.
  2. Tendo expects the SAML response to be signed with a certificate that will need to be provided to Tendo to complete configuration.

Configuration Needed by Tendo

A similar configuration process is needed by Tendo to complete the integration. The following values are needed from the Identity Provider.

  • Identifier/Entity Id
  • SSO URL
  • x509 Certificate used to sign SAML responses

Testing

Once it has been configured, we can test the SSO connection end-to-end:

  1. Find a user that has an account provisioned with Tendo with the same email used in their external IdP login.
  2. Ensure the user is logged out of mdsave.com in their browser.
  3. Have the user go to this URL in their browser - https://www.mdsave.com/saml/init/{idp_key}.
  4. Validate that the user is logged in to mdsave.com after all of the redirects (logging into the IdP if needed).

How to Use

  1. The SSO initiator URL (https://www.mdsave.com/saml/init/{idp_key}) can be bookmarked in a user’s browser or their system landing page, etc. Clicking this link will launch the SSO connection and will log the user directly into Tendo Marketplace if they are provisioned with an account that matches their email address.
  2. The SSO connection also can be launched directly from mdsave.com. In the Sign-in dropdown, if a user uses an email address that is tied to the IdP, Tendo Marketplace can be configured to ask the user if they want to sign in using SSO. If they choose that option, the SSO process will be initiated and the user will be signed in using the external IdP using the SAML connection.

Questions/Issues

Please feel free to reach out to Tendo Support, your Tendo Marketplace account manager, or the Tendo engineering team if you have questions, SSO issues, or for future maintenance requests (certificate rotation, etc).