Provider Single Sign-On
This documentation will guide you through the process of integrating your system with the Provider Single Sign-On (SSO) service. The Provider SSO service is a SAML-based Single Sign-On API, enabling SSO authentication using Security Assertion Markup Language (SAML) 2.0. Once enabled, providers will only be able to log in to your web app using SSO.
Prerequisites
Before proceeding with the integration, ensure that your customer account has been set up in our system and communicate with our team to upload all users who will be using the SSO services.
SAML 2.0
SAML 2.0 is our chosen approach for provider authentication as it provides a seamless experience for the provider and allows our customers to manage access themselves without extensive data integration work.
Supported SAML 2.0 Configurations
We currently support the following SAML 2.0 configurations:
- IdP initiated SSO with CirrusMD as the Service Provider (SP) and the customer as the Identity Provider (IdP)
Key URLs
The following table provides the key URLs for the SAML 2.0 integration:
| Name | Method | URL | Parameters |
|---|---|---|---|
| Consumption URL | POST | [will be shared prior to testing] | SAMLResponse (required) |
Note: The Consumption URL The location where the SAML assertions is set with the HTTP post this is often referred to as the SAML Assertion Consumer Services (ACS) URLs for your application.
Note: The SAMLResponse is the base64 encoding of a <samlp:Response> element.
Required Configuration Parameters
The IdP (Identity Provider) should provide the following configuration parameters to CirrusMD:
| Name | Type | Provided by | Value or Description |
|---|---|---|---|
| SP EntityId | String | SP | CirrusMD |
| IdP Entity ID | String | IdP | [IdP Entity ID] |
| Sign In URL | String | IdP | [Redirect Location if user visits SP is not logged in] |
| Sign Out URL | String | IdP | [Redirect Location when user logs out of SP] |
| Certificate | String | IdP | [X.509 Public Certificate] |
Supported Response Types
We support the following response type:
The only requirement is that the root element encapsulating the subject information has a NameID that is a unique email for a provider.
Example Subject Statement for Required NameID
Here is an example subject statement with the required NameID:
```xml