Inbound athenaNet Single Sign-On/media/athenaweb/file… · Web viewInbound athenaNet Single...
Transcript of Inbound athenaNet Single Sign-On/media/athenaweb/file… · Web viewInbound athenaNet Single...
Inbound athenaNet Single Sign-OnIntegration Formathenahealth, Inc.Version 18.12 Published December 2018
Inbound athenaNet Single Sign-On
Table of ContentsTABLE OF CONTENTS.............................................................................................................2COMPLETING THIS DOCUMENT...............................................................................................3
SCOPE REVIEW AND APPROVAL..........................................................................................................................3PROJECT INFORMATION.........................................................................................................4PRODUCT DESCRIPTION.........................................................................................................5
INBOUND ATHENANET SINGLE SIGN-ON...............................................................................................................5IdP-Initiated SSO...................................................................................................................................... 5SP-Initiated SSO.......................................................................................................................................5Additional Functionality...........................................................................................................................5
APPLICATION CONFIGURATIONS............................................................................................6USER POPULATION........................................................................................................................................... 6EPCS SINGLE SIGN-ON WORKFLOW...................................................................................................................6USER IDENTITY MAPPING................................................................................................................................... 6TESTING PROCESS........................................................................................................................................... 7SSO APPLICATION ENDPOINT URLS....................................................................................................................7ADDITIONAL COMMENTS................................................................................................................................... 7
TECHNICAL CONFIGURATION.................................................................................................8METADATA EXCHANGE...................................................................................................................................... 8SSO SERVICE URLS (IDENTITY PROVIDER)...........................................................................................................8SINGLE LOGOUT FUNCTIONALITY (SLO)...............................................................................................................8
IdP-Initiated SLO.......................................................................................................................................................8SP-Initiated SLO........................................................................................................................................................8
SAML SIGNATURE POLICY.................................................................................................................................9SAML ENCRYPTION POLICY...............................................................................................................................9SIGNING CERTIFICATE....................................................................................................................................... 9
www.athenahealth.com athenahealth, Inc. Proprietary 2
Inbound athenaNet Single Sign-On
Completing This DocumentScope Review and Approval
Please read the entire Integration Form and complete all form fields and check-boxes to the best of your ability. Should you have questions about the configuration options presented in this document please do not hesitate to discuss with your project engineer. When this document is completed to your satisfaction, please approve the scope by typing your name below.I, , agree to the integration design as described here in this document.Date:
www.athenahealth.com athenahealth, Inc. Proprietary 3
Inbound athenaNet Single Sign-On
Project InformationPlease fill the following out to the best of your ability for this Inbound athenaNet Single Sign-On (SSO) project.
General Information
athenahealth Practice Name: Click here to enter text.
athenahealth Practice Context ID: Click here to enter text.
athenahealth Project Engineer: Click here to enter text.
athenahealth Project Engineer Contact Information: Click here to enter text.
Event Number (for internal athenahealth tracking): Click here to enter text.
Client InformationContact Role Details
Project Business Contact
Responsible for overall success of the project
Name:
Phone:
Email:
Project Technical Contact
Responsible for SSO configuration on client side
Name:
Phone:
Email:
www.athenahealth.com athenahealth, Inc. Proprietary 4
Inbound athenaNet Single Sign-On
Product DescriptionInbound athenaNet Single Sign-On
Inbound athenaNet Single Sign-On (SSO) enables users to log into a third-party system (Identity Provider, IdP) and gain access to athenaNet (Service Provider, SP) without being prompted to enter athenaNet credentials. Athenahealth uses Security Assertion Markup Language 2.0 (SAML 2.0) for this offering and therefore compliance with SAML 2.0 is required.
IdP-Initiated SSO
SP-Initiated SSO
Additional Functionality
www.athenahealth.com athenahealth, Inc. Proprietary 5
Inbound athenaNet Single Sign-On
Consideration Description
User Auto-Provisioning
This offering does not support federated user auto-provisioning.
The practice will still need to create new users in athenaNet, adding their ID mapping, and correctly managing user changes or removals.
Access & Timeout
SSO users will no longer be able to log into athenaNet using their athenaNet credentials.
Users will only be able to log into athenaNet if they are coming from the IdP system.
If users log out, are timed out or attempt to access athenanet.athenahealth.com from the general Internet, they will be presented a screen informing them that their account requires SSO authentication and a link for SP-initiated SSO.
Support Environments
This SSO workflow is enabled for all athenaNet environments that your practice uses.
This includes environments such as Production, Preview, ClientTrain, and Backup (backup.athenahealth.com), the read-only edition of athenaNet.
We cannot make SSO-related environment-specific changes to the configuration.
These all use one connection in our federation server, meaning we cannot make environment specific changes to the configuration
Environment-specific URLs
There will be one URL per athenaNet environment. It is the practice’s responsibility to appropriately manage and distribute these URLs to your user base.
www.athenahealth.com athenahealth, Inc. Proprietary 6
Inbound athenaNet Single Sign-On
Application ConfigurationsUser Population
The Single Sign-On practice setting can be changed in order to control the user population to which the SSO applies:
Preference Setting Description
- blank -
ON Single Sign-On enabled for all users without exception ON is recommended
ADMINONLY
Single Sign-On enabled only for users with the SSO Authentication Permission.
Please provide a business reason for this decision:
Practice staff are responsible for controlling the SSO workflow on a per-user basis.
This setting is leveraged during testing. To ensure this setting only affects designated test users, please confirm that no users have the SSO Authentication permission: - blank -
EPCS Single Sign-On WorkflowDo your providers use athenaClinicals E-Prescribing of Controlled Substances (EPCS) functionality? - blank - If ‘No’, skip to the next section.
Per regulations, EPCS always requires two-factor authentication where the user must fully re-authenticate. While the second factor is always a Symantec time-based token, with this integration the first factor authentication method can be modified.
1. athenaNet Visit
►►►
2. First-Factor Authentication
►►►
3. Second-Factor Authentication
4. athenaNet Visit
Provider begins EPCS
Workflow
ONProvider redirected to
IdP system for credentials
Symantec time-based tokenProvider
continues EPCS Visit Workflow
OFF
Provider enters credentials in
athenaNet iFrame
Given the workflow options above, please confirm the desired setting below.
www.athenahealth.com athenahealth, Inc. Proprietary 7
Inbound athenaNet Single Sign-On
Preference Setting Considerations
- blank -
ON – IdP credentials for EPCS
Providers do not need to keep track of their athenaNet credentials.
The EPCS SSO Amendment to MSA must be signed and returned. Please provide the following:
The practice’s full Account Legal Name with athenahealth:
The Directory Service used by your system: - blank -If ‘Other’, please specify:
OFF – SP credentials for EPCS
Provider can still change athenaNet password, however EPCS first-factor authentication accepts expired athenaNet passwords
EPCS PRACTICE SETTING: This setting is applied at the tablespace-level and affects all EPCS providers.
User Identity MappingIn order to set up users for single sign-on, athenaNet usernames will need to be mapped to usernames from the Identity Provider system. To facilitate this new step, a new field, “Identity mapping” will be added to the User Admin console (Gear >> User >> Users) allowing practice staff to update the upstream username to the user (ENTER_IDP_USERNAME value in screenshot below).
MAPPINGS: athenaNet does not support one-to-many user identity management and, therefore, all IdP usernames must have one active athenaNet username in order to access the correct athenaNet user account.
If there are less than 50 active users in the tablespace, practice staff will need to manually add the mappings in athenaNet Production. If there are more than 50 active users in the tablespace, your project engineer can perform a username mapping import. A partially completed spreadsheet workbook containing the username, first name, last name and email of your tablespace users along with a column where user mappings may be entered will be provided. Once
www.athenahealth.com athenahealth, Inc. Proprietary 8
Inbound athenaNet Single Sign-On
completed by practice staff, your project engineer will import these prior to bringing the single sign-on live for your tablespace.
Testing ProcessUnlike other interfaces, Inbound-to-athena SSO testing, begins in athenaNet Production. This process avoids User Admin changes that refresh nightly from athenaNet Production to support environments. To mitigate the risk, the SSO Practice Setting is set to ADMINONLY during testing and only designated dummy test users (or users without critical athenaNet workflows available for testing) are given the SSO Authentication Role and are mapped to the IdP connection.
SSO Application Endpoint URLsIn order to access your other athenahealth environments and facilitate SP-initiated SSO, the URLs for the four environments (athenaNet, Preview, ClientTrain, and Backup) can be constructed as follows:https://athenanetsso.athenahealth.com/sp/startSSO.ping?PartnerIdpId=IdP EntityId Provided&TargetResource=- select -
If the IdP EntityId is not specified below, please request this from your athenahealth Project Engineer.
Additional CommentsPlease use this section for any additional questions or comments related to this integration.
www.athenahealth.com athenahealth, Inc. Proprietary 9
Inbound athenaNet Single Sign-On
Technical ConfigurationMetadata Exchange
Are you able to provide your SAML metadata to your athenahealth Project Engineer in an .xml file (preferably
via secure encrypted email)? - blank - Yes is strongly recommended
TIMELINE: Providing metadata significantly expedites the build and trust establishment process by streamlining configuration. Your athenahealth Project Engineer will provide athenahealth’s IdP metadata once the connection has been created.
If you are able to provide metadata (answered ‘YES’ above), please skip the following section.If you answered ‘NO’ above and are unable to provide metadata, please complete the remaining sections.
SSO Service URLs (Identity Provider)Below is the information we need to build out this integration. Please indicate whether this is contained in the metadata file. If not, please provide in the chart:
Element Required? If not in metadata file, please provide here
Federation Server Yes
IdP Entity ID Yes
SSO Service URL - POST Yes
SSO Service URL - Redirect Yes
IdP-Initiated SLO Endpoint URL If applicable Provided by athenahealth
SP-Initiated SLO Endpoint URL If applicable
ENTITYID: Whenever possible, athenahealth strongly recommends that the entity ID be a URL without spaces containing the domain name of the Identity Provider.
Single Logout Functionality (SLO)By default, Single Logout is not enabled and therefore logging out of athenaNet will have no effect on the IdP system. Similarly, logging out of the IdP system will have no impact on the user’s athenaNet session.
IdP-Initiated SLO
With this option enabled: when a user logs out of the IdP system, athena would expect to receive an SLO message posted to our logout endpoint URL. Upon receipt, the user would be logged out of athenaNet as well. Please note that if you choose to enable this option, then athenahealth’s logout endpoint will be in the metadata provided by your Project Engineer.
www.athenahealth.com athenahealth, Inc. Proprietary 10
Inbound athenaNet Single Sign-On
Please indicate here if you would like to enable IdP-initiated SLO: - blank - SP-Initiated SLO
With this option enabled: when a user logs out or is timed out of athenaNet, athena will post an SLO message to the IdP system’s SLO endpoint URL, with the expectation that the IdP would then log the user out of that system as well. Please note that if choosing to enable this option you must provide the SLO endpoint.
Please indicate here if you would like to enable SP-initiated SLO: - blank -
PRACTICE SETTINGS: Note that if ‘YES’ is selected above, the practice setting Single Sign On - SP Initiated Single Logout will be set to ON.
SAML Signature PolicySelect here whether you need athena to always post signed SAML assertions. By default, this will not be enabled and the SAML assertions will not be signed. Please select the desired SAML signature policy: Never Sign (default)
SAML Encryption PolicySelect here whether you need athena to post and receive encrypted SAML assertions. By default, this additional encryption is not enabled. Please select the desired SAML encryption policy: No additional encryption (default) If you select the option to encrypt only certain attributes, please list the attributes here:
Signing CertificateBy default, athenahealth uses RSA SHA256 as our signing algorithm. If desired, we could use SHA384 or SHA512 instead. Please indicate here which signing algorithm you would like used for this connection: RSA SHA256 (default)
www.athenahealth.com athenahealth, Inc. Proprietary 11