What is the context?
Meddbase supports the setup of Single sign-on or ‘SSO’ specifically using SAML2 protocol. This enables users to log into their Meddbase instance via SSO. This also disables any local sign ins (not via SSO).
Click here for an article on configuring SSO for OH portal employee companies.
What is the purpose of the article?
- Outlines how Single sign-on works
- Summarises the configuration tasks that need to be carried out, and by whom
- Outlines steps to carry out the configuration tasks
What are the pre-requisites for this article?
To use this article and undertake configuration, you need:
- A good working knowledge of SAML 2.0.
- A Meddbase User account in your chamber with admin permissions.
- Access to your organisation's Azure Active Directory admin centre.
How does Single sign-on work?
The SSO is set up at the chamber level. When a User tries to access the application, Meddbase finds the identity provider (Azure AD) to authenticate the User. If the User is not signed in, Azure AD authenticates the user and generates a SAML token. Meddbase then generates a SAML 2.0 AuthnRequest and redirects the User's browser to the Azure AD SAML single sign-on URL. Azure AD posts the SAML response to Meddbase via the User's browser and Meddbase verifies the SAML response and subsequently completes the User sign-in.
Click here for more details on the Single sign-on SAML protocol.
SSO configuration steps in Azure AD and in Meddbase
The SSO configuration process requires admin configuration in your organisation's Azure AD (or similar) provider account. There are also configuration steps you need to take in your Meddbase chamber.
For simplicity, all steps/tasks required in both environments and the exchange of information between them have been put in a single, chronological list below:
Steps required on your Azure Portal
Click any image to enlarge it.
1. Login to portal.azure.com and select Azure Active Directory under Azure services.
2. Navigate to Enterprise applications.
3. Click New Application.
4. Click Create your own application.
5. Enter a name for the application, e.g., 'Meddbase SSO'.
6. Select the Integrate any other application you don't find in the gallery (Non-gallery) option.
7. Click Create and wait for the application to finish building.
8. Click Set up single sign on and select SAML on the next screen.
9. Click Edit in the Basic SAML Configuration section.
10. Enter chamber domain key* as the Identifier (Entity ID).
*The Chamber Domain Key can be found in your Meddbase chamber under Admin > Configuration > Application > Chamber domain key / user login prefix
11. Enter 'Login URL/ssoapp', e.g. login.meddbase.com/ssoapp, as the REPLY URL (Assertion Consumer Service URL). Please make sure there are no spaces before or after the URL.
12. Click Edit in the User Attributes & Claims section.
13. Set Source attribute to user.mail.
14. Save settings.
15. Under 'SAML Signing Certificate' download Certificate (Base64).
16. Copy the Login URL under Set up ‘Meddbase SSO’.
17. Click ‘Users and groups’ under Manage, to grant access to any groups that will be using SSO.
Steps required in your Meddbase chamber
1. Login to Meddbase normally using your Meddbase username and password.
2. From the Start Page navigate to Admin > Configuration > Application.
3. Tick the Enable single sign-on checkbox.
4. Fill in the following details:
- Identity provider URL: Login URL (from step 16).
- Identified: Chamber Domain Key (from step 10).
- Certificate: Open the Certificate (Base64) (from step 15) in Notepad and copy/paste the content.
- Claim name: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mail
5. Click Save to apply your settings.
Testing the application in your Azure Portal
Whilst logged in with the current user click Test Application. If successful, you should be logged into Meddbase.
If the test fails, please confirm that you have a profile in Meddbase with the same email address as the account that you’re logged into Azure with.
Users added in Step 17 should see a new app on https://myapps.microsoft.com/ with the
name set in Step 5 where they can launch Meddbase. This will be the new way to login to
Meddbase and all local logins will be disabled.
This article was last updated on 6th of June 2023 in the context of Meddbase version 1.267.1.18836.