AlayaCare SSO Guide
AlayaCare uses AWS Cognito to support SAML 2.0 protocol and offer Single Sign-On (SSO) to our tenants.
Contents
- Configuring SSO with AlayaCare
- Information Provided to AlayaCare
- AlayaCare Configuration
- Tenant IdP Configuration
Configuring SSO with AlayaCare
There is a two-step process for tenants to set up the SSO feature, where the tenant must provide their IdP metadata to AlayaCare as well as configure the desired AlayaCare environment(s) as a SP on their IdP.
Information Provided to AlayaCare
AlayCare requires the following piece of information to configure SSO:
| NAME | DESCRIPTION |
|---|---|
| Metadata URL | URL to the metadata relating to the tenant’s IdP configuration. |
The metadata endpoint must provide the following details:
- entityID
- x509 certificate
- SSO url with HTTP-Redirect binding
- SLO url with HTTP-Redirect binding (If SP initiated logout flow is desired)
AlayaCare Configuration
AlayaCare is responsible for enabling the correct feature flag, “Cognito Single Sign On,” in our tenants’ environment(s). Note that AlayaCare must first set up the AWS Cognito user pool in order for the SSO feature to be fully functional. AlayaCare will notify members of the project team when both of these steps have been completed.
Tenant IdP Configuration
The tenant will need to configure the desired environment(s) as a SP in their IdP and notify AlayaCare when completed.
The metadata for each environment can be found in the following relative path:
/api/v1/auth/cognito/saml/metadata
Example:
https://example.alayacare.ca/api/v1/auth/cognito/saml/metadata
https://example.uat.alayacare.ca/api/v1/auth/cognito/saml/metadata
https://example.staging.alayacare.ca/api/v1/auth/cognito/saml/metadata
Replace example in the URL for your tenant name.
Calling this endpoint will return the following metadata details:
- entityID
- x509 certificate
- ACS url with HTTP-POST binding
- NameIDFormat
In addition when configuring the environment(s) as SP(s) the following configurations need to be applied.
| NAME | DESCRIPTION |
|---|---|
| NameID | Has to be configured as the user email. |
| emailaddress | Is required as a claim attribute with the name http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress |
A sample of the expected emailaddress attribute in the SAML response should look like:
<saml2:AttributeStatement>
<saml2:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">example@alayacare.com</saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>