Enterprise - Implementing Coviu with Azure SSO in your Organisation

This article explains the steps taken to integrate Coviu into your Azure Single Sign-On (SSO) system.

Last updated: Sept 2022

This article is aimed at SSO System Administrators.

You will need Coviu Platform Administrator access to undertake the following configuration activities or, undertake these actions in conjunction with your Coviu Platform Administrator.

On this page:

  1. Introduction
  2. What do we need you to do?
  3. How do I get to the SSO self-help portal in Coviu?
  4. What config items do I need?
  5. FAQ's for the SSO Administrator
  6. FAQ's for the end user
  7. More support options

Introduction

Coviu now has a self-help SSO configuration interface built in to your Enterprise platform. These instructions will guide you on how to access and implement Coviu SSO using the interface.


What do we need you to do?

Create a new application registration!

The below instructions should only be used as a guide. Your SSO Administrator will know the specific steps required to create a new application registration within your system so the instructions below should be used within that context.

  1. Sign in to your Azure Portal
  2. Go to Azure Active Directory
  3. Under Manage, click App Registrations
  4. Click the New Registration option
  5. Provide the following details:
    1. Name: Coviu (or your preferred naming convention)
    2. Supported Account Types - this setting will depend on your organisation setting, but will generally be the Single Tenant option to only allow authentication by users in this Active Directory tenant
    3. Redirect URL:
      1. Select Web 
      2. https://<your coviu sub domain here>/sso/callback?domain=<your chosen login email domain here> e.g: https://telehealth.mycompanyname.com.au/sso/callback?domain=mycompanyname.com.au 
        1. NOTE: Your Coviu sub domain is the domain you provided to host the Coviu platform.
        2. NOTE: Your chosen login email domain at the end of the string is the email domain your staff use to access SSO. You may have set up configurations for multiple email domains.
    4. Click Register 
  6. You should now have a new application registration available. 
  7. In order to configure your application within Coviu, you will need to provide the URL to your Federation Metadata document. This can be found under the Endpoints option in your application configuration.

  8. This Federation Metadata Document URL should be entered into the Coviu SSO self-configuration portal as described in the sections below. It is used to extract the SSO Sign on URL, the entity ID, and certificates needed to perform SSO.

  9. You will also need your Application (client) ID which is the issuer ID.


How do I get to the self-help SSO Configuration interface?

If you do not have access to the Coviu platform as an administrator, contact your Coviu Application Owner or your internal project manager. You will need access as a platform administrator to populate the SSO self-configuration portal and activate SSO.

Log into Coviu as you normally would:

  1. If you are already in the platform and on the platform dashboard shown below, click System Configuration in the left hand menu.
  2. Click the Single Sign On tab.
  3. Click Add Configuration.
  4. On the Create SSO Configuration interface (see below screen capture), add the required details.
  5. Ticking the Enabled option will make your configuration go live so proceed with caution.
    1. A go-live date is usually planned with the project team
    2. It is generally recommended to get SSO implemented prior to having all clinicians added to the platform.
  6. Save the configuration when done. If you have chosen Enabled, then your system should be ready to go.

    What configuration items will you need for the Interface?

    The details you enter into the Coviu SSO self-help Configuration interface (below) are those details that come from creating the Coviu application in your IdP and from the resulting federation metaData XML file. The below table outlines the fields required in our SSO self-help portal:


    Email domain

    If you have multiple email domains accessing the platform, you will need to create an SSO configuration for each domain.  

    Application (client) ID

    Taken from your IdP portal.

    Could be referred to as Application ID, Entity ID or Client ID.

    in the format of spn:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

    Redirect URL Extracted from your federation metadata XML file
    Usually toward the bottom of your XML file
    e.g https://login.microsoftonline.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/saml2

    Alternative Identifier

    (is not mandatory)

    Add if required
    Federation metadata URL As per your Azure application creation
    forceAuthn

    Why would I turn this on?

    When forceAuthn is enabled, the user will have to enter their SSO username and password every time, even when they have a valid session

    disableRequestedAuthnContext

    Why would I turn this on?

    The library we use for SAML authentication requires PasswordProtectedTransport(PPT) to be used. Some ADFS configurations may be set up in a way that does not support PPT and will use Windows Federation Authentication Protocol. This will result in authentication context errors and the user will not be able to log in. In that case, turning this toggle on, will help the issue.

    The Contact Details section The Name, Email and Phone Number fields are provided as part of a message to any staff member who attempts to access the platform but has not yet been provided access to a clinic in Coviu. The details could be for your Coviu Application Owner, your SSO System Administrator or your IT Service Desk for example.
    Save Used to save the configuration without turning SSO on.
    Enabled toggle Used to turn SSO on/off (handy for out of hours testing)

     



      FAQs for your SSO Administrator

      1. Do we integrate with other SSO technologies?
        1. Information on integrating with on-prem ADFS can be found here.
        2. If your organisation uses another means for SSO, let us know. Register your interest with your Coviu account representative.
      2. Do we support SAML 2.0?
        1. Yes, SAML 2.0 is the protocol we support at the moment.
      3. Advanced SAML Settings explained
        1. forceAuthn - when forceAuthn is enabled, the user will have to enter SSO username and password every time, even when they have a valid session
        2. disableRequestedAuthnContext - The library we use for SAML authentication requires PasswordProtectedTransport(PPT) to be used. Some ADFS configurations may be set up in a way that does not support PPT and will use Windows Federation Authentication Protocol. This will result in authentication context errors and the user will not be able to log in. In that case, turning this toggle on, will help the issue.
      4. Is our product (Coviu) listed in the Azure Marketplace/Gallery?
        1. No. Not at this stage.
      5. Authentication state?
        1. Forms based.
      6. Do we require Microsoft ADFS 3.0 to encrypt assertions to protect data leakage of sensitive information passed back to Coviu during logon?
        1. We don't support this extra layer of encryption at the moment.
      7. Do we require the Microsoft ADFS 3.0 to sign their assertions?
        1. Yes, we validate the signatures when we receive a request/response from Microsoft ADFS 3.0.

      FAQs for the end user

      1. When we turn on SSO, will staff be able to access Coviu from our normal platform URL?
        1. Yes. Staff would still log into Coviu from the link they have been using or have been provided.
        2. If the organisation has an SSO portal, the organisation's SSO administrator may need to provide details on how to access the Coviu platform from the portal.
      2. If staff can access it from the normal link, will the password field still display?
        1. No. If the staff member has already signed in to SSO (their portal), then they will pass straight through to Coviu.
      3. Will the password in Coviu automatically change to match their SSO password?
        1. No. Staff would use their corporate SSO credentials. If they have not logged in to SSO, they would be redirected to their SSO login page and then back to Coviu.
        2. Further, Coviu could never know what the SSO password is and passwords would not be shared across platforms.




       Who do I contact for Support?

      • You can contact your Coviu account manager directly, alternatively,
      • You can contact us through one of the options available here