Skip to content

Auth Clients and Single Sign-on

PHC allows you to configure third-party authentication clients for Single Sign-on (SSO). This makes the login process easier and frees you from having to create usernames and passwords for new PHC users. It also provides an extra layer of security for an organization's account.

PHC offers preconfigured options to set up Facebook and Google authentication as identity providers. It also offers a Custom Identity Provider option that allows you to set up a wide variety of SSO providers.

PHC supports the SAML 2.0 protocol. Only SP-initiated SSO is supported. IdP-initiated SSO is not supported.

Note

The Auth Clients tab is only available for Enterprise account customers. The tab does not appear at other account levels. To become a LifeOmic Enterprise customer, contact your LifeOmic representative.

Configure an Authentication Client

Caution

Configuring an SSO client is an advanced operation. Assistance from LifeOmic is available.

Access Control

A user needs to belong to the default Admin group or have those permissions to complete this procedure. To add a user to the default Admin group, complete the Add a user to a group with the Users tab procedure.

  1. From any page in PHC, click the PHC logo at the top of the page.
  2. From the home page, click the Account Info tile. Account
  3. From the account info page, click Auth Clients to see the currently configured Authentication Clients.
  4. If you need to delete an existing client, click the icon next to the client name.
  5. To add a new client, click New Client. You are allowed one Web Client and one Client Credentials. Account
  6. Enter a name in the Name field.
  7. The Callback URL(s) and the Logout URL(s) populate automatically.
  8. Under Allowed OAuth Flows, click Web Client. Note: Client Credentials is not normally used. If you need programmatic interactions with PHC, the best practice is to create an API key. For more information, see API Keys.
  9. Click one or more Allowed Identity Providers:
    • Google allows you to use Google IdP as a SAML identity provider.
    • Facebook allows you to use the Facebook Login feature for an authentication method.
    • LifeOmic is reserved for LifeOmic employee use.
    • Custom Identity Providers allows you to configure a variety of SSO clients, such as Microsoft Azure. See the following section, Configure a Custom Identity Provider, for detailed information on this option.
  10. An Alternate OIDC Providers is usually not required. An Alternate OIDC Provider is required for use with SMART on FHIR applications.

  11. Click Save Changes. Account

Configure a Custom Identity Provider

The information needed for a custom identity provider is specific to that provider and is normally publicly available. For example, when you want to configure Microsoft Azure, consult the Microsoft Azure documentation to find the necessary information for the fields in the SSO (Single Sign-On) section of PHC.

Example Configuration for customer123 Account

This example is for an organization leveraging Shibboleth IdP

  • Callback URLs: https://apps.us.lifeomic.com/auth/v1/app-redirect
  • Logout URLs: https://customer123.apps.us.lifeomic.com/phc/logout
  • Metadata document URL: https://customer123.idp.example.com/shibboleth-idp/shibboleth
  • Email attribute mapping: urn:oid:0.9.2342.19200300.100.1.3
  • Name attribute mapping: urn:oid:2.16.840.1.113730.3.1.241

Example User/Browser Flow

In addition to the diagrams below, you can also reference the AWS Cognito documentation.

SSO Flow

Example URLs and parameters, using Okta for the IdP:

SSO Flow URLs


Last update: 2021-07-13