Version:

Expected SAML Token Format for IdP Authentication

AAHC uses SAML tokens to authorize and authenticate the Identity Provider (IdP) users. A SAML token should consist of:

  1. A subject with the NameID attribute which has user identifier as the value.

  2. An attribute with the name as careProvider and the following two values for this attribute:

    • HSA id of the care provider as configured in IdP

    • Display name for the care provider

  3. An attribute with the name as careUnitReviewerFor and the following three values for this attribute:

    • The care provider’s HSA-id which is an identifier for each care provider as configured in IdP

    • Care Unit Reviewer id as configured in IdP

    • Display name for the care unit reviewer

  4. An attribute with the name as Roles and the following value for this attribute:

    • Role as configured in IdP

Note

The attribute name is case-sensitive.

Example of a SAML token:

  <saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Version="2.0" ID="_jbirybwis-hbgl-4ebd-bb76-9985jg855e2" IssueInstant="2018-08-10T05:08:53Z">
     <saml2:Subject>
        <saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">bruce</saml2:NameID>
     </saml2:Subject>
     <saml2:AuthnStatement AuthnInstant="2018-08-10T05:08:53Z" SessionIndex="42">
        <saml2:AuthnContext>
           <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml2:AuthnContextClassRef>
        </saml2:AuthnContext>
     </saml2:AuthnStatement>
     <saml2:AttributeStatement>
        <saml2:Attribute Name="careProvider">
           <saml2:AttributeValue>SE000000000000-0000;Bir Hospital</saml2:AttributeValue>
           <saml2:AttributeValue>SE000000000000-0000;Kanti Hospital</saml2:AttributeValue>
        </saml2:Attribute>
        <saml2:Attribute Name="careUnitReviewerFor">
           <saml2:AttributeValue>SE000000000000-0000;SE000000000000-0000;Any</saml2:AttributeValue>
           <saml2:AttributeValue>SE000000000000-0000;SE000000000000-0000;Any</saml2:AttributeValue>
        </saml2:Attribute>
        <saml2:Attribute Name="Roles">
           <saml2:AttributeValue>role_patient_access</saml2:AttributeValue>
           <saml2:AttributeValue>role_user_access</saml2:AttributeValue>
           <saml2:AttributeValue>role_super_admin</saml2:AttributeValue>
        </saml2:Attribute>
     </saml2:AttributeStatement>
  </saml2:Assertion>
Helpful?

We are glad this guide helped.


Please don't include any personal information in your comment

Contact Support