Federated SSO
Overview
With Federation, your identity management system is used to authenticate your users transparently across Roche internal applications. You as IdP are responsible for asserting these digital identities.
Roche as Service Provider (SP) is an entity that provides the services. Roche as SP does not authenticate users by ourselves but rely on you as IdP for user authentication. We delegate you as entity the authentication responsibility as a trusted external partner. When your users want to access a Roche service we Roche as SP delegate the authentication to you the IdP as federated party.
What is SAML?
The federation relationship between you and Roche is accomplished through SAML 2.0 protocol. There is a trust between you as IdP and Roche as SP.
SAML stands for Security Assertion Markup Language and is a protocol for exchanging authentication and authorization data between separate systems. It is used to provide Single Sign-on (SSO) and Single Logout (SLO) between security domains. Roche supports SAML 2.0, an XML-based protocol that uses security tokens that contain assertions, which are used to pass data between a SAML Identity Provider (IdP) and a Service Provider (SP). The SAML specification was developed and is maintained by the Security Services Technical Committee of OASIS.
Here are the required attributes that need to be provided in SAML to establish connection to RDCP:
- HCP email – email that is link to RDCP account
- User Healthcare Center Id
SAML Assertion
Roche as SP would not interfere in the authentication process and will trust you as IdP and allow the user to access the service if the user is authenticated by you as IdP. Your application would initiate the flow by calling us the SP with the provided link. The message that is sent between the systems is called an assertion. The assertion contains the email of the user along with HCC_ID that we need to create a user session. It is cryptographically signed so the Roche as SP can trust that it came from you, the right IdP.
Notice that Roche as SP has nothing to do with the authentication of the user. It trusts you the IdP to take care of that. All the Roche as SP cares about is that the user was authenticated properly and in fact is was previously registered with the same HCC_ID that your SAML Assertion informs. We require this extra HCC_ID validation to address a security issue that may arise if and HCP from another center tries to connect from an HCC_ID that does not belong to.
SAML Assertion example
The message that is passed between you as Identity Provider (IdP) and Roche as Service Provider (SP) is assertion. Assertion will contain all the information required by SP (Roche) to create a session. You as IdP are required to share HCC_ID (Health Care Center ID) & email in the SAML response. XML excerpt below representing these SAML attributes.
<saml:AttributeStatement>
<saml:Attribute FriendlyName="email"
Name="urn:oid:1.2.840.113549.1.9.1"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
>
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string"
>ssodemo-63@yopmail.com</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="HCC_ID"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
>
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string"
>00010</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
Examples of Identity Providers that support SAML 2.0
Active Directory Federation Services (ADFS)
AzureAD
Okta
Google Idp
Oracle Identity Manager
Amazon Cognito
Auth0
Onelogin
RSA Security ID
Zoho Vault