OKTA SSO Integration
![[Deleted User]](https://w7.vanillicon.com/v2/7dff26a9d468db847108da180a72c800.svg)
Version 2: 3/20/2024
Configuring SAML 2.0 for Bluesight
SAML Metadata Public URL
The customer must provide Bluesight with the SAML Metadata Public URL for their Identity Provider (IdP) service and optionally for their test/integration service if so desired.
Note: a public URL is highly preferred. If the customer provides an actual file, please ask them to provide the link to their public metadata before using the actual file. If they say they don’t have a public URL, then use the file
Required Claims
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress | user.mail |
|---|---|
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname | user.firstname |
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname | user.lastname |
SAML Setting
Production Environment
Single Sign-on URL | https://kitcheck-production.auth.us-east-1.amazoncognito.com/saml2/idpresponse |
|---|---|
Use this Recipient URL and Destination URL | Checked |
Allow this app to request other SSO URLs | Unchecked |
Audience URI (SP Entity ID) | urn:amazon:cognito:sp:us-east-1_R3Al6cNsv |
Default Relay State | Blank |
Name ID Format | Persistent |
Application Username | |
Single Logout URL | https://kitcheck-production.auth.us-east-1.amazoncognito.com/saml2/logout |
Integration Environment
Single Sign-on URL | https://kitcheck-integration.auth.us-east-1.amazoncognito.com/saml2/idpresponse |
|---|---|
Use this Recipient URL and Destination URL | Checked |
Allow this app to request other SSO URLs | Unchecked |
Audience URI (SP Entity ID) | urn:amazon:cognito:sp:us-east-1_XwkuaV5FA |
Default Relay State | Blank |
Name ID Format | Persistent |
Application Username | |
Single Logout URL | https://kitcheck-integration.auth.us-east-1.amazoncognito.com/saml2/logout |
User Management
Our SAML integration only supports the authentication of users. Authorization (whether the user can actually use the application and what permissions they have) is still handled by Cont. As such, user accounts still need to be created in Bluesight/ControlCheck and the user’s email must match that returned by the hospital’s ADFS. If either of these requirements is not met, the user will not be able to log in to Bluesight/ControlCheck.
In terms of removing users, IT can prevent a user from accessing Bluesight by disabling/removing their ADFS account. However, it will not remove the user in the Bluesight database. When implementing the Bluesight/ControlCheck SAML integration, hospitals should consider what their strategy should be to delete accounts from Bluesight/ControlCheck on a regular basis.