To utilize the Single Sign-On feature within CareAR Assist requires 23.02 (or newer).
What is SSO?
SSO is a feature that enables changing how an end user account logs into CareAR when using either the web portal or application. The login process by default is username (email address) and password that are setup only for your CareAR account. Utilizing SSO enables end user to utilize the same account credentials stored on a server by your organization across various applications. This enables end users to not have to remember an additional password as well as enable technical teams to centralize user credentials.
How does SSO work for my end users?
Once SSO is configured for the CareAR tenant end users will attempt logging into either the CareAR application or CareAR web portal using their email address as the username as normal. Once the username is entered the user will attempt to authenticate against the SSO configuration. If the user is not already a CareAR user but successfully SSO authenticates they will be provisioned automatically as a user if seats are available. If the end user is not currently SSO authenticated a web view will open prompting to log into their SSO user account.
Prerequisites
- To enable SSO for your CareAR accounts your organization does require to have a centralized user location known as an Identity Provider (IdP) that is eligible to establish SSO using SAML 2.0.
- An administrator for your IdP to aide in establishing the deployment of the SSO integration.
- SSO feature enabled for your CareAR tenant
- To have the SSO feature enabled, please raise a support request with CareAR Support
- Consider which user field values you would like to automatically populate into end user's CareAR profiles (see User Field Mapping section below)
User Field Mapping
To create a user's CareAR profile at time of SSO login some information about that user is needed to be provided by the IdP system. To accurately have data that is stored in the SSO platform correctly apply to the CareAR platform it is important to establish appropriate attribute claims, or variables the SSO platform will provide about a user. Below is a table of fields available that the IdP system can provide for the end user's CareAR profile.
Attribute name | Purpose | Required? |
User’s email / username | Mandatory | |
firstName | End user’s first name | Mandatory |
lastName | End user’s last name | Mandatory |
tenantId | CareAR Tenant ID value | Mandatory |
role | CareAR permission set, default is general user if not passed. Options available: user/analyst/creator/tenant_admin | Optional |
primaryPhone | Primary phone to receive SMS invites on | Optional |
secondaryPhone | Alternative phone to receive SMS invites on | Optional |
group | Defined grouping user belongs to within the CareAR tenant | Optional |
jobDescription | End user’s job title | Optional |
Before deploying SSO it is recommended to consider which attribute names you and your Idp administrator would like to map as a part of the claims issued by the SSO IdP for CareAR you would like to map to the attribute name on the CareAR platform.
Warning
When enabling SSO for a tenant all users, other than the primary tenant admin, will need to authenticate through SSO. Local authentication (username & password) will not be achievable for users other than the primary tenant admin. All users other than the primary tenant admin that currently exist will be removed when SSO is enabled.
Deploying SSO
After the prerequisites above are completed the steps to deploy SSO can be followed below.
Part 1: Configuring CareAR Tenant with SSO Information
- Tenant admin navigate to https://carear.app/#/admin/login -> Administration -> SSO (SAML 2.0)
- Working with the IdP admin fill in the following fields:
Field Name Definition Domain name Your email domain IdP Entity ID Friendly name of the IdP IdP URL URL to trigger an SSO event IdP Certificate Certificate broadcasted by the IdP server (Optional) Phone number prefix Country code for end user phone numbers - Click Save
Part 2: Configuring IdP with CareAR Information
- From the CareAR Administration screen from the prior section you will need to share the following values to your IdP administrator
- Service Provider Name
- Name of the Service Provider (CareAR). This will typically end with ‘-PRO’.
- SP Entity ID
- Entity of the Service Provider (CareAR). This will typically end with ‘-SPID’.
- ACS URL
- The URL that the a successful SSO login will proceed the next step of the SSO login back to
- Tenant ID
- The unique value of the CareAR tenant. This value will need to be included as one of the claims from the IdP named ‘tenantId’.
- Service Provider Name
- Your IdP administrator will need to configure CareAR as an SSO application using the values defined from the previous bullet as well as the User Field Mapping section from earlier in this article.
- For example user email addresses might be stored in the IdP as user.mail. In order to pass this email address to CareAR the IdP will need to have a claim named 'email' and provide the value of ‘user.mail’ to that claim name.
Part 3: Activate the SSO Integration
- Navigate to the CareAR Web Administration page -> Administration -> SSO (SAML 2.0)
- Click Enable in the top right:
- Confirmation prompt will display depending on how many users are on the tenant
- Only the Primary Tenant Admin:
- Multiple Users:
- Only the Primary Tenant Admin:
- Select 'Enable' if ready to enable SSO integration
- SSO is now enabled, attempt log in using a valid email address of the IdP platform into CareAR web portal (https://carear.app/#/user) or CareAR application (available to download from https://carear.app/#/download)