ER Express offers Single Sign-On capabilities that are compatible with Azure Active Directory ("Azure AD").
Note that Azure AD and Microsoft AD are two different products. In short, Microsoft AD is for on-premise installation (read more: https://www.compete366.com/blog-posts/the-difference-between-ad-and-azure-ad-explained/).
What is Single Sign-On?
Single Sign-On (SSO) allows a user to log in with a single ID and password to several related, yet independent, software systems. A common example of this is when a web application asks if you want to log in using your Gmail or Facebook account.
Specific to ER Express, SSO enables end-users to log in to the ER Express application suite using the username and password they already use at their clinic/hospital instead of having a separate username/password just for ER Express.
What are the benefits of using Single Sign-On?
Single Sign-On is more secure and convenient.
- Convenience: Staff will use the same credentials they use to login into their Windows/Azure account to log into ER Express. They do not have to remember yet another username/password combination. They are also much less likely to need a password reset or get locked out of their ER Express account.
- Security: ER Express authentication will automatically inherit the authentication strength (such as password complexity and password expiration) that your health system already has in place. Also, if any employee no longer works for the health system, as soon as she is removed from Active Directory, she will also no longer be able to access the ER Express application.
What would Single Sign-On look like for my facility?
- ER Express will provide a dedicated SSO page for your health system. For example, if your health system was 'Milford Health Medical Center' your dedicated SSO login page might be milford.erexpress.com.
- As soon as the user navigates to the SSO page, the system will prompt her to enter her Active Directory username and password.
- Instead of using their ER Express-specific login credentials, staff would use their Active Directory login credentials to access ER Express.
- ER Express and the health system IT do the set-up behind the scenes. Read more below on how to set this up for your facility.
What are the requirements to set up Single Sign-On?
- We currently offer SSO for Azure Active Directory ("AD") - if your hospital uses Microsoft Windows, this is probably what you use.
- IT/security will work with ER Express to set up SSO. They will need to create a group in Active Directory for all users who need access to ER Express.
- Practice managers or site admin will still need to create each user's profile in the ER Express user management module.
- ER Express will provide a dedicated sign-on URL branded specifically for your health system.
Is there an added cost for this feature?
Yes, there is a small upcharge for SSO, depending on how much setup is required. If you're interested, please contact your CSM.
What will the health system's IT department need to do?
- First, set up a group in Active Directory. Then, add all end-users who use ER Express to this group (and, in turn, remove them from this group if they no longer need access).
- Tell ER Express your precise username convention in AD. Examples:
- email address: firstname.lastname@example.org
- first name and last name: luke.skywalker
- first initial and last name: lskywalker
- employee ID: lskyw1138
- Provision and tell ER Express your IDP entity ID (redacted example: https://sts.windows.net/859dk1a4d-325f-44b9-aaef-xxxxxxxxxxx/)
- Provision and tell ER Express your SSO URL (redacted example: https://login.microsoftonline.com/85f46a4d-265f-41b9-aaef-xxxxxxxxxxx/saml2)
- Provision and send your SAML X509 certificate (redacted example below)
What will ER Express need to do?
- Provision the base URL (for example, for Milford Health system, it might be milford.erexpress.com) - this is the page your health system's end-users will go to in order to trigger SSO.
- Send the ER Express entity ID to the health system.
- Provision where the assertion will post.
- Provision the logout URL
Is it secure? Do you use SAML or oAuth?
Yes, it is secure. We use SAML (Security Assertion Markup Language), and well-established, tested, and secure way to transfer identity data (such as username and password) between the identity provider (idP, such as Azure Active Directory) and the service provider (SP, such as ER Express). Read more: https://auth0.com/blog/how-saml-authentication-works/
Who is the identity provider?
We will use Azure AD by default but we can use others, such as OneLogin if customers request it.
Federated vs password-based SSO?
Which Federated approach?
#2 and #3 together, listed below.
- Using OpenID Connect and OAuth - If the application you're connecting to supports it, use the OIDC/OAuth 2.0 method to enable your SSO to that application. This method requires less configuration and enables a richer user experience. For more information, see OAuth 2.0, OpenID Connect 1.0, and Azure Active Directory developer’s guide.
- Endpoint Configurations for SAML-based SSO,
- Certificate management for SAML-based SSO - When you enable Federated SSO for your application, Azure AD creates a certificate that is by default valid for three years.
SP or iDP initiated?