ER Express offers Single Sign-On capabilities that are compatible with Azure Active Directory ("Azure AD").
Note that Azure AD and Microsoft AD are two different products. In short, Microsoft AD is for on-premise installation (read more: https://www.compete366.com/blog-posts/the-difference-between-ad-and-azure-ad-explained/).
What is Single Sign-On?
Single Sign-On (SSO) allows a user to log in with a single ID and password to several related, yet independent, software systems. A common example of this is when a web application asks if you want to log in using your Gmail or Facebook account.
Specific to ER Express, SSO enables end-users to log in to the ER Express application suite using the username and password they already use at their clinic/hospital instead of having a separate username/password just for ER Express.
What are the benefits of using Single Sign-On?
Single Sign-On is more secure and convenient.
- Convenience: Staff will use the same credentials they use to login into their Windows/Azure account to log into ER Express. They do not have to remember yet another username/password combination. They are also much less likely to need a password reset or get locked out of their ER Express account.
- Security: ER Express authentication will automatically inherit the authentication strength (such as password complexity and password expiration) that your health system already has in place. Also, if any employee no longer works for the health system, as soon as she is removed from Active Directory, she will also no longer be able to access the ER Express application.
What would Single Sign-On look like for my facility?
- ER Express will provide a dedicated SSO page for your health system. For example, if your health system was 'Milford Health Medical Center' your dedicated SSO login page might be milford.erexpress.com.
- As soon as the user navigates to the SSO page, the system will prompt her to enter her Active Directory username and password.
- Instead of using their ER Express-specific login credentials, staff would use their Active Directory login credentials to access ER Express.
- ER Express and the health system IT do the set-up behind the scenes. Read more below on how to set this up for your facility.
What are the requirements to set up Single Sign-On?
- We currently offer SSO for Azure Active Directory ("AD") - if your hospital uses Microsoft Windows, this is probably what you use.
- IT/security will work with ER Express to set up SSO. They will need to create a group in Active Directory for all users who need access to ER Express.
- Practice managers or site admin will still need to create each user's profile in the ER Express user management module.
- ER Express will provide a dedicated sign-on URL branded specifically for your health system.
Is there an added cost for this feature?
Yes, there is a small upcharge for SSO, depending on how much setup is required. If you're interested, please contact your CSM.
Is it secure? Do you use SAML or oAuth?
Yes, it is secure. We use SAML (Security Assertion Markup Language), and well-established, tested, and secure way to transfer identity data (such as username and password) between the identity provider (idP, such as Azure Active Directory) and the service provider (SP, such as ER Express). Read more: https://auth0.com/blog/how-saml-authentication-works/
Who is the identity provider?
We will use Azure AD by default but we can use others, such as OneLogin if customers request it.
Federated vs password-based SSO?
Which Federated approach?
#2 and #3 together, listed below.
- Using OpenID Connect and OAuth - If the application you're connecting to supports it, use the OIDC/OAuth 2.0 method to enable your SSO to that application. This method requires less configuration and enables a richer user experience. For more information, see OAuth 2.0, OpenID Connect 1.0, and Azure Active Directory developer’s guide.
- Endpoint Configurations for SAML-based SSO - If you use SAML, your developers will need specific information prior to configuring the application. For more info, see Configure SAML-based single sign-on.
- Certificate management for SAML-based SSO - When you enable Federated SSO for your application, Azure AD creates a certificate that is by default valid for three years. You can customize the expiration date for that certificate if needed. Ensure that you have processes in place to renew certificates prior to their expiration. To learn more, see Azure AD Managing Certificates
SP or iDP initiated?