Table of Contents

SSO Guidance and Configuration

This article reviews the setup and configuration process for Single Sign-On(SSO).

Amelia Boyer
Updated by Amelia Boyer

Healthy Rosterโ€™s Single Sign-On(SSO) features currently will function with most OAuth2-based Identity Providers(IdP). With OAuth2, we leverage the Authorization Code grant flow, which will include the following steps:

All provider users MUST have the same email domain for SSO to be successful. If you have providers with mixed email domain's the SSO integration will not work.
  1. A user visits https://dashboard.healthyroster.com/Account/IdpLogin and is prompted to enter their email address.
  2. The user enters their email address, and the system will look up the authentication information associated to their account.
  3. The user will be redirected to the login page for their configured Identity Provider (IdP).
  4. The user will authenticate using whatever means is required by their IdP.
  5. The Identity Provider will redirect the user back to Healthy Roster, including an authorization code indicating the user has successfully authenticated.
  6. The Healthy Roster system will submit the authorization code to the IdP in exchange for an identity token and access token.
  7. The Healthy Roster system will validate the token and the supplied user account are valid, active accounts. If so, the login process will complete, and the user will be allowed access to the Healthy Roster system.

Important Considerations

Here are some important considerations when exploring the viability of SSO with your Healthy Roster usage.

First, Healthy Roster leverages this SSO process only for user authentication, not authorization. User roles, permissions, and feature access are managed within the Healthy Roster platform. These user accounts must first be provisioned within the Healthy Roster system.

Second, accounts must share the same email address between both the Healthy Roster system and the IdP.

Configuration

To support Single Sign On, customers will be required to configure their IdP to as an OAuth2-based Identity Provider. NOTE: Healthy Roster does not support SAML-based configuration at this time.

Your IdP configuration should include the following:
  1. The Redirect URI for a successful login should be:
    1. Production: https://dashboard.healthyroster.com/account/idplogin
    2. Testing / Sandbox: https://dashboard-demo.healthyroster.com/account/idplogin
    3. Note! For some systems, the URI is case-sensitive.
  2. The inclusion of an email claim for the user is required.
  3. Note! If you choose to restrict authentication requests for specific browser types, you must permit the following for mobile access:
    1. iOS: User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 12_2 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148
For Healthy Roster to complete SSO configuration for your account, we will require the following information:
  1. The Client ID to user when making requests to your IdP
  2. The Shared Secret to use when making requests to your IdP
  3. The authorize and token URI endpoints to your IdP
    1. Example: https://sso.mydomain.com/adfs/oauth2/authorize
    2. Example: https://sso.mydomain.com/adfs/oauth2/token

How did we do?

Single Sign On

Contact