PhenixID

Step by Step – Medlo MFA and SSO with PhenixID Authentication Services

Summary

This document will guide you through the steps to enable multi-factor authentication and Single-Sign On for the healthcare staffing solution Medlo (https://www.medlo.se/) using OpenID Connect.

System Requirements

  • PhenixID Authentication Server 4.0 or higher
  • Medlo technical administrator contact

Instruction

Overview

This document will guide you through the steps to enable multi-factor authentication and Single-Sign on for Medlo.

PhenixID Authentication Services acting as OpenID Connect Provider

About claims

Medlo uses two custom claims:

  1. To determine the if the user is an administrator (auxMedloAdmin)
  2. The user unit (vårdenhet). (auxMedloUnit)
  1. Login to Configuration Manager.
  2. Scenarios->OIDC
  3. Add a new relying party:
    – client_id = medlo
    – client_password = <generate a password and set>
    – Allowed redirect uri:s = <ask the Medlo admin which value to use>
  4. Create a new OpenID Connect provider by selecting the desired authentication method. Follow the scenario guidelines for values.
    Use the Authorization Code Flow.
    Allow medlo as an allowed RP to use the OP.
  5. Once done, click Execution flow
  6. Expand the first execution flow (this might be different based on the authentication method selected)
  7. Change the configuration to fetch these attributes:
    1. hsaIdentity
    2. auxMedloAdmin
    3. auxMedloUnit

      Based on your environment, the values might be fetched from different attributes. If so, add PropertyRenameValves after the lookup to rename the item property to the values above.

  8. If the auxMedloAdmin value is empty, the value should be set to N. Add this valve to fulful the requirement.
    {
    “name” : “PropertyAddValve”,
    “config” : {
    “name” : “auxMedloAdmin”,
    “value” : “N”,
    “skip_if_expr” : “var myItem=flow.firstItem(); myItem.containsProperty(‘auxMedloAdmin’)”
    }
    }
  9. Save the item properties to session properties by adding SessionPropertyReplaceValve valves to the config.
  10. Save
  11. Expand token endpoint
  12. Expand GenerateJwtTokenVavle (this valve produces the id_token).
  13. On the token attributes part, add a new name-value pair:
    name = auxMedloAdmin
    value = {{session.auxMedloAdmin}}
  14. On the token attributes part, add a new name-value pair:
    name = hsaIdentity
    value = {{session.hsaIdentity}}
  15. On the token attributes part, add a new name-value pair:
    name = auxMedloUnit
    value = {{session.auxMedloUnit}}
  16. Save changes.
  17. Click Add valve
  18. Select PropertyAddValve
  19. Enter name = token_type and value = Bearer. Make sure the valve is placed last in the execution flow.
  20. Save the changes
  21. Click on the OpenID Connect Provider and then General
  22. Click View OP Discovery
  23. Copy the OP discovery URL.
  24. Send this info to the Medlo administrator:
    1. OP Discovery URL
    2. client_id
    3. client_secret
    4. Name of the claims in the identity_token.

Configure Medlo

The Medlo administrator will configure Medlo based on the information received in the step above.

Test

  1. Browse to Medlo
  2. Your browser should be redirected to PhenixID Authentication Services for authentication.
  3. Authenticate
  4. You should now be redirected back to Medlo.
  5. You should now be logged in to Medlo with the correct permissions (based on the unit and admin claim)

DISCLAIMER
Information provided in this document is for your information only. PhenixID makes no explicit or implied claims to the validity of this information. Any trademarks referenced in this document are the property of their respective owners.

The origin of this information may be internal or external to PhenixID. PhenixID makes all reasonable efforts to verify this information.

PhenixID - support.phenixid.se