Enterprise - Implementing Coviu with Azure SSO in your Organisation

This article explains the steps taken to integrate Coviu into your Azure Single Sign-On (SSO) system.

Last updated: Dec 2021

This article is aimed at SSO System Administrators.

You will need Coviu Platform Administrator access to undertake the following configuration activities or, undertake these actions in conjunction with your Coviu Platform Administrator.

On this page:

  1. Introduction
  2. What do we need you to do?
  3. How do I get to the SSO self-help portal in Coviu?
  4. What config items do I need?
  5. FAQ's for the SSO Administrator
  6. FAQ's for the end user
  7. More support options

Introduction

Coviu now has a self-help SSO configuration interface built in to your Enterprise platform. These instructions will guide you on how to access and implement Coviu SSO using the interface.


What do we need you to do?

Create a new application registration!

The below instructions should only be used as a guide. Your SSO Administrator will know the specific steps required to create a new application registration within your system so the instructions below should be used within that context.

  1. Sign in to your Azure Portal
  2. Go to Azure Active Directory
  3. Under Manage, click App Registrations
  4. Click the New Registration option
  5. Provide the following details:
    1. Name: Coviu (or your preferred naming convention)
    2. Supported Account Types - this setting will depend on your organisation setting, but will generally be the Single Tenant option to only allow authentication by users in this Active Directory tenant
    3. Redirect URL:
      1. Select Web 
      2. https://<your coviu sub domain here>/sso/callback?domain=<your chosen login email domain here> e.g: https://telehealth.mycompanyname.com.au/sso/callback?domain=mycompanyname.com.au 
        1. NOTE: Your Coviu sub domain is the domain you provided to host the Coviu platform.
        2. NOTE: Your chosen login email domain at the end of the string is the email domain your staff use to access SSO. You may have set up configurations for multiple email domains.
    4. Click Register 
  6. You should now have a new application registration available. 
  7. In order to configure your application within Coviu, you will need to provide the URL to your Federation Metadata document. This can be found under the Endpoints option in your application configuration.

  8. This Federation Metadata Document URL should be entered into the Coviu SSO self-configuration portal as described in the sections below. It is used to extract the SSO Sign on URL, the entity ID, and certificates needed to perform SSO.

  9. You will also need your Application (client) ID which is the issuer ID.


How do I get to the self-help SSO Configuration interface?

If you do not have access to the Covu platform as an administrator, contact your Coviu Application Owner or your internal project manager. You will need access as a platform administrator to populate the SSO self-configuration portal and activate SSO.

Log into Coviu as you normally would:

  1. If you are already in the platform and on the platform dashboard shown below, click System Configuration in the left hand menu.
  2. Click the Single Sign On tab.
  3. Click Add Configuration.
  4. On the Create SSO Configuration interface (see below screen capture), add the required details.
  5. Ticking the Enabled option will make your configuration go live so proceed with caution.
    1. A go-live date is usually planned with the project team
    2. It is generally recommended to get SSO implemented prior to having all clinicians added to the platform.
  6. Save the configuration when done. If you have chosen Enabled, then your system should be ready to go.

    What configuration items will you need for the Interface?

    The details you enter into the Coviu SSO self-help Configuration interface (below) are those details that come from creating your new Application Registration and the federation metaData XML file. Enter them in the fields shown below:

    • Domain = your email domain (without the @)
    • Application (client) ID = from your Azure portal
    • Redirect URL = extracted from your federation metadata XML file
      • Usually toward the bottom of your XML file
      • e.g https://login.microsoftonline.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/saml2
    • Alternative Identifier (is not mandatory) = add if required
    • Federation metadata URL = as per your Azure application creation
    • forceAuthn: Why would I turn this on?
      • When forceAuthn is enabled, the user will have to enter their SSO username and password every time, even when they have a valid session
    • disableRequestedAuthnContext: Why would I turn this on?
      • The library we use for SAML authentication requires PasswordProtectedTransport(PPT) to be used. Some ADFS configurations may be set up in a way that does not support PPT and will use Windows Federation Authentication Protocol. This will result in authentication context errors and the user will not be able to log in. In that case, turning this toggle on, will help the issue.
    • The Contact Details section; The Name, Email and Phone Number fields are provided as part of a message to any staff member who attempts to access the platform but has not yet been provided access to a clinic in Coviu. The details could be for your Coviu Application Owner, your SSO System Administrator or your IT Service Desk for example.
    • Save = to save the configuration without turning SSO on.
    • Enabled toggle = to turn SSO on/off (handy for out of hours testing)



      FAQs for your SSO Administrator

      1. Do we integrate with other SSO technologies?
        1. Information on integrating with on-prem ADFS can be found here.
        2. If your organisation uses another means for SSO, let us know. Register your interest with your Coviu account representative.
      2. Do we support SAML 2.0?
        1. Yes, SAML 2.0 is the protocol we support at the moment.
      3. Advanced SAML Settings explained
        1. forceAuthn - when forceAuthn is enabled, the user will have to enter SSO username and password every time, even when they have a valid session
        2. disableRequestedAuthnContext - when this is enabled, it is required when using SSO for Azure Active Directory Federation Services
      4. Is our product (Coviu) listed in the Azure Marketplace/Gallery?
        1. No. Not at this stage.
      5. Authentication state?
        1. Forms based.
      6. Do we require Microsoft ADFS 3.0 to encrypt assertions to protect data leakage of sensitive information passed back to Coviu during logon?
        1. We don't support this extra layer of encryption at the moment.
      7. Do we require the Microsoft ADFS 3.0 to sign their assertions?
        1. Yes, we validate the signatures when we receive a request/response from Microsoft ADFS 3.0.

      FAQs for the end user

      1. When we turn on SSO, will staff be able to access Coviu from our normal platform URL?
        1. Yes. Staff would still log into Coviu from the link they have been using or have been provided.
        2. If the organisation has an SSO portal, the organisation's SSO administrator may need to provide details on how to access the Coviu platform from the portal.
      2. If staff can access it from the normal link, will the password field still display?
        1. No. If the staff member has already signed in to SSO (their portal), then they will pass straight through to Coviu.
      3. Will the password in Coviu automatically change to match their SSO password?
        1. No. Staff would use their corporate SSO credentials. If they have not logged in to SSO, they would be redirected to their SSO login page and then back to Coviu.
        2. Further, Coviu could never know what the SSO password is and passwords would not be shared across platforms.




       Who do I contact for Support?

      • You can contact your Coviu account manager directly, alternatively,
      • You can contact us through one of the options available here