Inbound athenaNet Single Sign-On/media/athenaweb/file… · Web viewInbound athenaNet Single...

Inbound athenaNet Single Sign-OnIntegration Formathenahealth, Inc.Version 18.12 Published December 2018

Inbound athenaNet Single Sign-On

Table of ContentsTABLE OF CONTENTS.............................................................................................................2COMPLETING THIS DOCUMENT...............................................................................................3

SCOPE REVIEW AND APPROVAL..........................................................................................................................3PROJECT INFORMATION.........................................................................................................4PRODUCT DESCRIPTION.........................................................................................................5

INBOUND ATHENANET SINGLE SIGN-ON...............................................................................................................5IdP-Initiated SSO...................................................................................................................................... 5SP-Initiated SSO.......................................................................................................................................5Additional Functionality...........................................................................................................................5

APPLICATION CONFIGURATIONS............................................................................................6USER POPULATION........................................................................................................................................... 6EPCS SINGLE SIGN-ON WORKFLOW...................................................................................................................6USER IDENTITY MAPPING................................................................................................................................... 6TESTING PROCESS........................................................................................................................................... 7SSO APPLICATION ENDPOINT URLS....................................................................................................................7ADDITIONAL COMMENTS................................................................................................................................... 7

TECHNICAL CONFIGURATION.................................................................................................8METADATA EXCHANGE...................................................................................................................................... 8SSO SERVICE URLS (IDENTITY PROVIDER)...........................................................................................................8SINGLE LOGOUT FUNCTIONALITY (SLO)...............................................................................................................8

IdP-Initiated SLO.......................................................................................................................................................8SP-Initiated SLO........................................................................................................................................................8

SAML SIGNATURE POLICY.................................................................................................................................9SAML ENCRYPTION POLICY...............................................................................................................................9SIGNING CERTIFICATE....................................................................................................................................... 9

www.athenahealth.com athenahealth, Inc. Proprietary 2

http://www.athenahealth.com/


Completing This DocumentScope Review and Approval

Please read the entire Integration Form and complete all form fields and check-boxes to the best of your ability. Should you have questions about the configuration options presented in this document please do not hesitate to discuss with your project engineer. When this document is completed to your satisfaction, please approve the scope by typing your name below.I, , agree to the integration design as described here in this document.Date:




Project InformationPlease fill the following out to the best of your ability for this Inbound athenaNet Single Sign-On (SSO) project.

General Information

athenahealth Practice Name: Click here to enter text.

athenahealth Practice Context ID: Click here to enter text.

athenahealth Project Engineer: Click here to enter text.

athenahealth Project Engineer Contact Information: Click here to enter text.

Event Number (for internal athenahealth tracking): Click here to enter text.

Client InformationContact Role Details

Project Business Contact

Responsible for overall success of the project

Name:

Phone:

Email:

Project Technical Contact

Responsible for SSO configuration on client side

Name:

Phone:

Email:




Product DescriptionInbound athenaNet Single Sign-On

Inbound athenaNet Single Sign-On (SSO) enables users to log into a third-party system (Identity Provider, IdP) and gain access to athenaNet (Service Provider, SP) without being prompted to enter athenaNet credentials. Athenahealth uses Security Assertion Markup Language 2.0 (SAML 2.0) for this offering and therefore compliance with SAML 2.0 is required.

IdP-Initiated SSO

SP-Initiated SSO

Additional Functionality




Consideration Description

User Auto-Provisioning

This offering does not support federated user auto-provisioning.

The practice will still need to create new users in athenaNet, adding their ID mapping, and correctly managing user changes or removals.

Access & Timeout

SSO users will no longer be able to log into athenaNet using their athenaNet credentials.

Users will only be able to log into athenaNet if they are coming from the IdP system.

If users log out, are timed out or attempt to access athenanet.athenahealth.com from the general Internet, they will be presented a screen informing them that their account requires SSO authentication and a link for SP-initiated SSO.

Support Environments

This SSO workflow is enabled for all athenaNet environments that your practice uses.

This includes environments such as Production, Preview, ClientTrain, and Backup (backup.athenahealth.com), the read-only edition of athenaNet.

We cannot make SSO-related environment-specific changes to the configuration.

These all use one connection in our federation server, meaning we cannot make environment specific changes to the configuration

Environment-specific URLs

There will be one URL per athenaNet environment. It is the practice’s responsibility to appropriately manage and distribute these URLs to your user base.




Application ConfigurationsUser Population

The Single Sign-On practice setting can be changed in order to control the user population to which the SSO applies:

Preference Setting Description

- blank -

ON Single Sign-On enabled for all users without exception ON is recommended

ADMINONLY

Single Sign-On enabled only for users with the SSO Authentication Permission.

Please provide a business reason for this decision:

Practice staff are responsible for controlling the SSO workflow on a per-user basis.

This setting is leveraged during testing. To ensure this setting only affects designated test users, please confirm that no users have the SSO Authentication permission: - blank -

EPCS Single Sign-On WorkflowDo your providers use athenaClinicals E-Prescribing of Controlled Substances (EPCS) functionality? - blank - If ‘No’, skip to the next section.

Per regulations, EPCS always requires two-factor authentication where the user must fully re-authenticate. While the second factor is always a Symantec time-based token, with this integration the first factor authentication method can be modified.

1. athenaNet Visit

►►►

2. First-Factor Authentication

►►►

3. Second-Factor Authentication

4. athenaNet Visit

Provider begins EPCS

Workflow

ONProvider redirected to

IdP system for credentials

Symantec time-based tokenProvider

continues EPCS Visit Workflow

OFF

Provider enters credentials in

athenaNet iFrame

Given the workflow options above, please confirm the desired setting below.




Preference Setting Considerations

- blank -

ON – IdP credentials for EPCS

Providers do not need to keep track of their athenaNet credentials.

The EPCS SSO Amendment to MSA must be signed and returned. Please provide the following:

The practice’s full Account Legal Name with athenahealth:

The Directory Service used by your system: - blank -If ‘Other’, please specify:

OFF – SP credentials for EPCS

Provider can still change athenaNet password, however EPCS first-factor authentication accepts expired athenaNet passwords

EPCS PRACTICE SETTING: This setting is applied at the tablespace-level and affects all EPCS providers.

User Identity MappingIn order to set up users for single sign-on, athenaNet usernames will need to be mapped to usernames from the Identity Provider system. To facilitate this new step, a new field, “Identity mapping” will be added to the User Admin console (Gear >> User >> Users) allowing practice staff to update the upstream username to the user (ENTER_IDP_USERNAME value in screenshot below).

MAPPINGS: athenaNet does not support one-to-many user identity management and, therefore, all IdP usernames must have one active athenaNet username in order to access the correct athenaNet user account.

If there are less than 50 active users in the tablespace, practice staff will need to manually add the mappings in athenaNet Production. If there are more than 50 active users in the tablespace, your project engineer can perform a username mapping import. A partially completed spreadsheet workbook containing the username, first name, last name and email of your tablespace users along with a column where user mappings may be entered will be provided. Once




completed by practice staff, your project engineer will import these prior to bringing the single sign-on live for your tablespace.

Testing ProcessUnlike other interfaces, Inbound-to-athena SSO testing, begins in athenaNet Production. This process avoids User Admin changes that refresh nightly from athenaNet Production to support environments. To mitigate the risk, the SSO Practice Setting is set to ADMINONLY during testing and only designated dummy test users (or users without critical athenaNet workflows available for testing) are given the SSO Authentication Role and are mapped to the IdP connection.

SSO Application Endpoint URLsIn order to access your other athenahealth environments and facilitate SP-initiated SSO, the URLs for the four environments (athenaNet, Preview, ClientTrain, and Backup) can be constructed as follows:https://athenanetsso.athenahealth.com/sp/startSSO.ping?PartnerIdpId=IdP EntityId Provided&TargetResource=- select -

If the IdP EntityId is not specified below, please request this from your athenahealth Project Engineer.

Additional CommentsPlease use this section for any additional questions or comments related to this integration.




Technical ConfigurationMetadata Exchange

Are you able to provide your SAML metadata to your athenahealth Project Engineer in an .xml file (preferably

via secure encrypted email)? - blank - Yes is strongly recommended

TIMELINE: Providing metadata significantly expedites the build and trust establishment process by streamlining configuration. Your athenahealth Project Engineer will provide athenahealth’s IdP metadata once the connection has been created.

If you are able to provide metadata (answered ‘YES’ above), please skip the following section.If you answered ‘NO’ above and are unable to provide metadata, please complete the remaining sections.

SSO Service URLs (Identity Provider)Below is the information we need to build out this integration. Please indicate whether this is contained in the metadata file. If not, please provide in the chart:

Element Required? If not in metadata file, please provide here

Federation Server Yes

IdP Entity ID Yes

SSO Service URL - POST Yes

SSO Service URL - Redirect Yes

IdP-Initiated SLO Endpoint URL If applicable Provided by athenahealth

SP-Initiated SLO Endpoint URL If applicable

ENTITYID: Whenever possible, athenahealth strongly recommends that the entity ID be a URL without spaces containing the domain name of the Identity Provider.

Single Logout Functionality (SLO)By default, Single Logout is not enabled and therefore logging out of athenaNet will have no effect on the IdP system. Similarly, logging out of the IdP system will have no impact on the user’s athenaNet session.

IdP-Initiated SLO

With this option enabled: when a user logs out of the IdP system, athena would expect to receive an SLO message posted to our logout endpoint URL. Upon receipt, the user would be logged out of athenaNet as well. Please note that if you choose to enable this option, then athenahealth’s logout endpoint will be in the metadata provided by your Project Engineer.




Please indicate here if you would like to enable IdP-initiated SLO: - blank - SP-Initiated SLO

With this option enabled: when a user logs out or is timed out of athenaNet, athena will post an SLO message to the IdP system’s SLO endpoint URL, with the expectation that the IdP would then log the user out of that system as well. Please note that if choosing to enable this option you must provide the SLO endpoint.

Please indicate here if you would like to enable SP-initiated SLO: - blank -

PRACTICE SETTINGS: Note that if ‘YES’ is selected above, the practice setting Single Sign On - SP Initiated Single Logout will be set to ON.

SAML Signature PolicySelect here whether you need athena to always post signed SAML assertions. By default, this will not be enabled and the SAML assertions will not be signed. Please select the desired SAML signature policy: Never Sign (default)

SAML Encryption PolicySelect here whether you need athena to post and receive encrypted SAML assertions. By default, this additional encryption is not enabled. Please select the desired SAML encryption policy: No additional encryption (default) If you select the option to encrypt only certain attributes, please list the attributes here:

Signing CertificateBy default, athenahealth uses RSA SHA256 as our signing algorithm. If desired, we could use SHA384 or SHA512 instead. Please indicate here which signing algorithm you would like used for this connection: RSA SHA256 (default)



Date post:	04-Jun-2020
Category:	Documents
Upload:	others
View:	1 times
Download:	0 times

Inbound athenaNet Single Sign-On/media/athenaweb/file… · Web viewInbound athenaNet Single...

Documents