SAML Single Sign-On Setup Guide
- Get Started
- Automations
- Patient Channel
- Patient Facesheet
- Collaborative Inbox
- Lines & Resources Requests
- Lines, Events, Resources
- Analytics
- Platform Settings and Configuration
- Users and Groups
- Campaigns
- SMS Basics
- Troubleshooting and FAQ
- Conversation Flows
- Add-Ons
- Release Notes
- Technical Specifications
- Referrals
- Self-Rescheduling
- Recalls
- Marketplace
- Triggers
Table of Contents
What is Single Sign-On? How do I know if SAML SSO is suitable for my Organization? How do I start using SAML SSO?How does SAML SSO work?How long does this Process take?Technical ParametersSAML Claims ConfigurationTroubleshootingThis document describes the setup process of Single Sign-On to Artera using the SAML protocol. Your Project Manager or Customer Success Representative will partner with you to ensure it has been configured correctly.
What is Single Sign-On?
Single Sign-On (SSO) is an authentication mechanism that enables an end user to access multiple independent applications using a single set of user credentials. It offers users the convenience of signing in only once at the beginning of their day instead of signing in multiple times throughout the day. Additionally, it saves users from the headache of memorizing many usernames and (often weak and insecure) passwords, and it saves your organization’s Help Desk many hours lost to helping individuals reset their passwords. Due to these benefits and many others, SAML is a widely adopted enterprise solution.
How do I know if SAML SSO is suitable for my Organization?
If your organization uses an Identity Provider (IdP) that supports SAML SSO (such as Windows Active Directory or Azure AD), it can benefit from using SAML SSO to sign in to Service Providers (SPs) like Artera and other applications that support SAML SSO.
How do I start using SAML SSO with Artera?
Identify your IdP and the team members who can access it.
Send your IdP metadata to Artera.
Artera loads your metadata into our SP.
Receive Artera’s SP metadata.
Load Artera’s SP metadata into your IdP.
Configure Artera’s required SAML claims in your IdP.
This metadata exchange establishes trust between your IdP and Artera, which ensures that future communications between your IdP and Artera are secure. The SAML claim configuration ensures that those future communications include all the necessary information for your end users to successfully log in to Artera. See the Technical Parameters section for more details about what IdP metadata Artera will need from you, what SP metadata you will need from Artera, and what SAML Claims you will need to configure in your IdP.
How does SAML SSO work?
An End User enters their email address at the Artera login screen.
Artera recognizes the End User has been registered with a SAML connection.
Artera redirects the End User to their organization’s IdP. A SAML Request is sent along with the redirect.
The IdP receives the SAML Request, recognizes that it comes from a trusted SP, and checks if the End User has an active session with the IdP. If not, the IdP displays its login screen to the End User.
If needed, the End User submits their user credentials at their IdP’s login screen.
The IdP redirects the authenticated End User to Artera. A SAML Response containing the SAML claims configured in the initial setup is sent along with the redirect.
Artera receives the SAML Response, recognizes that it comes from a trusted IdP, and uses the included SAML claims to identify and authenticate the End User into Artera.
How long does this Process take?
If you are initially implementing Artera, this can happen in parallel with the project management process. If you are already live with Artera, the process takes 4-6 weeks from the initial request to go-live. Most of this time is spent testing the SSO setup.
Technical Parameters
Metadata Exchange
SAML metadata is commonly exchanged in the form of XML files or URLs that carry XML files, but Artera recommends and prefers working with the individual attributes that collectively make up SAML metadata.
SP Metadata you will need from Artera
Artera will provide you with two sets of the following SP metadata attributes – one set for Artera’s Production environment and one set for Artera’s Demo environment:
-
Entity ID
- Your IdP uses the Entity ID to uniquely identify Artera’s SAML SP.
-
Assertion Consumer Service URL
- Your IdP redirects end users to the Assertion Consumer Service (ACS) URL after the end user has successfully authenticated with you IdP. This is the location where Artera receives SAML Requests and uses the included SAML Claims to identify and authenticate the end user into Artera.
If your organization has curated security requirements surrounding SAML SSO, please share that information with your Artera Representative. Depending on the requirements, there may be additional SP metadata you will need from Artera.
You should be able to input these SP metadata attributes when you create a new SAML application in your IdP. These SP metadata attribute names and this process often varies slightly between different IdP solutions. Please consult your IdP’s documentation if you have any preliminary questions.
IdP Metadata Artera will need from you
Please provide Artera with the following IdP metadata attributes:
-
Sign In URL
- Artera redirects end users to your IdP’s Sign In URL when they want to log in to Artera. This is the location where your IdP processes SAML Requests and asks the end user to log in if they do not already have an active session with your IdP.
-
Signing Certificate in PEM or CER file format
- Artera uses your IdP’s Signing Certificate to verify the authenticity of communications coming from your IdP.
You should be able to find these IdP metadata attributes in the SAML application you created in your IdP for Artera Messenger. If you have not created a SAML application in your IdP for Artera Messenger yet, refer to the previous section SP metadata you will need from Artera to gather the information required to create one. These IdP metadata attribute names and this process often vary slightly between different IdP solutions. Please consult your IdP’s documentation if you have any preliminary questions.
SAML Claims Configuration
When a user authenticates to Artera through their IdP using the SAML protocol, the IdP sends a SAML Response to Artera. Artera validates and uses the SAML Response to sign the user in. SAML Responses contain pieces of information about the user known as SAML claims.
Artera requires that your IdP includes the following SAML claims in its SAML Responses:
-
Name Identifier (Name ID)
- The Name ID SAML Claim should be an immutable, globally unique, non-reusable identifier of the user
-
Email
- The Email Address SAML Claim should be the primary email address that your users will use to log in to Artera
Troubleshooting
-
Issue: When users enter an email address at the Artera login screen, they are sent a login code to their email instead of being redirected to their IdP’s login page.
- Reason: Artera has yet not created or enabled a SAML connection for your organization
- Solution: Confirm with your Artera representative that the necessary steps to create or enable a new SAML connection have been completed
-
Issue: A user enters their email and password at their IdP’s login screen and receives an error on their IdP’s login screen.
- Reason: There is an issue with your IdP
- Solution: Artera has no control over your IdP. Work with your organization’s technical resources to resolve the issue
-
Issue: A user enters their email and password at their IdP’s login screen and is authenticated successfully. They are then redirected back to the Artera login screen instead of being logged in to the Artera home page.
- Reason: Artera received an unexpected response from the IdP during the redirect
- Solution: Ensure the IdP is configured to include the authenticated user’s email address in the SAML Response. Also, ensure that the user is authorized to access Artera and has an Artera account