PhenixID

Step by Step – Milou by Medexa MFA and SSO with PhenixID Authentication Services

Summary

This document will guide you through the steps to enable multi-factor authentication and SSO for the hospital CTG data management system Milou (https://www.medexa.se/en/milouenglish/)

System Requirements

  • PhenixID Authentication Server 3.0 or higher
  • Milou system administrator technical contact

Instruction

Configure PhenixID Authentication Services as Identity Provider

  1. Setup PhenixID Authentication Services as a SAML IdP using one of the Federation scenarios described here. (If the desired authentication method is not provided by a scenario, use the documentation for the SAML authenticator here)
  2. Go to Scenarios->Federation-><YOUR_IDP>->Identity Provider
  3. Add a Post SLO url: https://<your_phenixid_domain>/saml/authenticate/logout/
  4. This integration has two options regarding SAML attributes:
    1. Using commission (Medarbetaruppdrag)
    2. Not using commission (Medarbetaruppdrag)Your organization will decide.
      For more info about option #1, please view the last section of this page.
      With option #1, a commission-selector must be added to the IdP flow. Please contact PhenixID for support.
  5. Go to Scenarios->Federation-><YOUR_IDP>->Execution Flow
  6. To populate the SAML assertion with the correct data, please make sure to fetch these attributes: (How the attributes are fetched will differ based on your environment / user stores etc).
    1. Using commission:
      givenName
      employeeHsaId
      sn
      occupationalCode
      healthcareProfessionalLicense
      systemRole
      commissionHsaId
      commissionName
      commissionRight
      commissionPurpose
      healthCareUnitHsaId
      healthCareUnitName
      healthCareProviderHsaId
      healthCareProviderName

      (For more infomation about these attributes, please view the sambi attributes specification.)

    2. Not using commission:
      givenName
      employeeHsaId
      sn
      occupationalCode
      healthcareProfessionalLicense
      systemRole

      (For more infomation about these attributes, please view the sambi attributes specification.)

  7. Make the following adjustments to the execution flow.
    1. Add a PropertyAddValve for each attribute above where name = <urn:oid-name-for-each-attribute> and value = {{item.<name_of_the_attribute_above>}}.
      Example:

      The urn-oid-values should map according to this list:
      urn:oid:2.5.4.42 (givenName)
      urn:oid:1.2.752.29.6.2.1 (employeeHsaId)
      urn:oid:2.5.4.4 (sn)
      urn:oid:1.2.752.221.100.1.1 (occupationalCode)
      urn:oid:1.2.752.116.3.1.3 (healthcareProfessionalLicense)
      urn:oid:1.2.752.29.4.95 (systemRole)
      urn:oid:1.2.752.29.6.12.1 (commissionHsaId)
      urn:oid:1.2.752.29.6.12.2 (commissionName)
      urn:oid:1.2.752.29.4.124 (commissionRight)
      urn:oid:1.2.752.29.4.125 (commissionPurpose)
      urn:oid:1.2.752.29.6.13.1 (healthCareUnitHsaId)
      urn:oid:1.2.752.29.6.13.2 (healthCareUnitName)
      urn:oid:1.2.752.29.6.10.1 (healthCareProviderHsaId)
      urn:oid:1.2.752.29.6.10.2 (healthCareProviderName)

      (For more infomation about these attributes, please view the sambi attributes specification.)

    2. Place all of the PropertyAddValves before the AssertionProviderValve.
    3. Click AssertionProvider
      1. Set NameID Attribute = urn:oid:1.2.752.29.6.2.1
      2. Set additional attributes based on the options above.
        Option #1:
        urn:oid:2.5.4.42,urn:oid:1.2.752.29.6.2.1,urn:oid:2.5.4.4,urn:oid:1.2.752.221.100.1.1,urn:oid:1.2.752.116.3.1.3,urn:oid:1.2.752.29.4.95,urn:oid:1.2.752.29.6.12.1,urn:oid:1.2.752.29.6.12.2,urn:oid:1.2.752.29.4.124,urn:oid:1.2.752.29.4.125,urn:oid:1.2.752.29.6.13.1,urn:oid:1.2.752.29.6.13.2,urn:oid:1.2.752.29.6.10.1,urn:oid:1.2.752.29.6.10.2

        Option #2:
        urn:oid:2.5.4.42,urn:oid:1.2.752.29.6.2.1,urn:oid:2.5.4.4,urn:oid:1.2.752.221.100.1.1,urn:oid:1.2.752.116.3.1.3,urn:oid:1.2.752.29.4.95
    4. Save
  8. Go to Scenarios->Federation-> <newly_added_scenario> -> Identity Provider. Deselect “Require signed requests”.
  9. Save.
  10. Then export your SAML IdP metadata by going to the URL:
    https://<YourServerDomainName>/saml/authenticate/<authenticator_alias>?getIDPMeta
    and download the metadata to a xml file.

Configure Milou

  1. Send the downloaded IdP metadata to your Milou contact.
  2. The Milou contact will now configure Milou and send a SAML SP metadata file.

Add Milou as trusted Service Providers in PhenixID Authentication Services

  1. Login to configuration manager
  2. Scenarios->Federation
  3. SAML Metadata upload
  4. Add the Milou SAML SP metadata file.

Test

Browse to Milou.

You should be redirected to PhenixID Authentication Services.

Authenticate (with or without commission-selection based on the organization setup).

You should be redirected back to Milou.

You should now be logged in to Milou.

DISCLAIMER
Information provided in this document is for your information only. PhenixID makes no explicit or implied claims to the validity of this information. Any trademarks referenced in this document are the property of their respective owners.

The origin of this information may be internal or external to PhenixID. PhenixID makes all reasonable efforts to verify this information.

PhenixID - support.phenixid.se