OpenFIT Single Sign On (SSO) Integration using ADFS and SAML

Abbreviations used

SSO: Single Sign On

ADFS: Active Directory FederationServices

SAML: Security Assertion Markup Language

SP: Service Provider, in the context ofthis document is openFIT

IdP: Identity Provider, in the context ofthis document is the openFIT partner wishing to integrate with openFITapplication through their SSO.

OF: openFIT application

Introduction

Explained in this document is the SSO integration between OF as a SP and OF partners through their ADFS and SSO implementation. This will allow end users to login seamlessly to OF once they have already logged in to their workstations.

The integration is done using OF “Federation MetaData” endpoint and its expected that the partner using this endpoint send the requirement “Assertions” needed by the OF application to allow users to login seamlessly.

Federation Metadata Endpoint

OpenFIT provides 2 endpoints for partners

Testing Endpoint

Use this endpoint to carry a pilot integration with OF. This will provide a safe place to carry integration and test it until feeling OK and ready to go live.

URL: https://openfitapi.groupnos.com/FederationMetadata/2007-06/FederationMetadata.xml

‍

Production Endpoint

Once a partner has confidence tha tintegration works seamless and up to his expectations, a partner can move tothe production endpoint.

URL: https://openfitapi.groupnos.com/FederationMetadata/2007-06/FederationMetadata.xml

‍

Claim Types Required by OpenFIT

On a basic level, OF requires that the below claims are sent as part of the assertion sent.

Below we describe the Claim Type, URI and Description where required.

Name
This is used as the username in OpenFIT
/claims/name

UPN
/claims/upn

Role
One of:-         
- OpenFITAdministrator
- OpenFITLocalAdmin
- OpenFITClinicianSupervisor

- OpenFITClinician
/claims/role

Email Address
/claims/emailaddress

First Name
/claims/givenname

Last Name
/claims/surname

Profession
This is a future field that will contain the users profession:
- Therapist
- Counsellor
- Psychologist
- Physician
- Practitioner
- Child Care Worker
- Social Worker
- Doctor
- Case Manager
- Skills Trainer
TBC

‍

Note: In case more information is needed to be integrated, please contact OF support.

An example of how to integration using ADFS:

https://blogs.msdn.microsoft.com/card/2010/06/24/using-federation-metadata-to-establish-a-relying-party-trust-in-ad-fs-2-0/

Provisioning a Partner

To complete the integration and test it, OpenFIT needs to provision an account for the partner and to accomplish that the Federation metadata endpoint or document for the partner is needed. We extract the following information from the document

-         Name or Id, e.g.: http://adfs-test.groupnos.com/adfs/services/trust

-         Single Sign-on Service URL

-         Single Logout Service URL

-         Sign Authentication Request(Yes / No)