OKTA SSO Integration

Options
Leslie James
Leslie James Posts: 323 admin
edited March 20 in SSO

Version 2: 3/20/2024

Configuring SAML 2.0 for Bluesight

SAML Metadata Public URL

The customer must provide Bluesight with the SAML Metadata Public URL for their Identity Provider (IdP) service and optionally for their test/integration service if so desired.

Note: a public URL is highly preferred. If the customer provides an actual file, please ask them to provide the link to their public metadata before using the actual file. If they say they don’t have a public URL, then use the file

Required Claims

https://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

user.mail

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname

user.firstname

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname

user.lastname

SAML Setting

Production Environment

Single Sign-on

URL

https://kitcheck-production.auth.us-east-1.amazoncognito.com/saml2/idpresponse

Use this Recipient URL and Destination URL

Checked

Allow this app to request other SSO URLs

Unchecked

Audience URI (SP Entity ID)

urn:amazon:cognito:sp:us-east-1_R3Al6cNsv

Default Relay State

Blank

Name ID Format

Persistent

Application Username

Email

Single Logout URL

https://kitcheck-production.auth.us-east-1.amazoncognito.com/saml2/logout

Integration Environment

Single Sign-on

URL

https://kitcheck-integration.auth.us-east-1.amazoncognito.com/saml2/idpresponse

Use this Recipient URL and Destination URL

Checked

Allow this app to request other SSO URLs

Unchecked

Audience URI (SP Entity ID)

urn:amazon:cognito:sp:us-east-1_XwkuaV5FA

Default Relay State

Blank

Name ID Format

Persistent

Application Username

Email

Single Logout URL

https://kitcheck-integration.auth.us-east-1.amazoncognito.com/saml2/logout

User Management 

Our SAML integration only supports the authentication of users. Authorization (whether the user can actually use the application and what permissions they have) is still handled by Cont. As such, user accounts still need to be created in Bluesight/ControlCheck and the user’s email must match that returned by the hospital’s ADFS. If either of these requirements is not met, the user will not be able to log in to Bluesight/ControlCheck. 

In terms of removing users, IT can prevent a user from accessing Bluesight by disabling/removing their ADFS account. However, it will not remove the user in the Bluesight database. When implementing the Bluesight/ControlCheck SAML integration, hospitals should consider what their strategy should be to delete accounts from Bluesight/ControlCheck on a regular basis.