Onboarding to SSO

Overview

Single Sign-On (SSO), allows your organisation to log into MediMap using your existing SSO solution. This guide outlines the full onboarding process, what information you will need, validation steps, and SSO global rollout in multi-site organisations or for individual sites.

Setup SSO for your Organisation

1. Complete the MediMap SSO Onboarding form. 
2. The nominated technical contact will receive an email invitation to access the SSO onboarding portal to configure SSO IDP details.

3. Activate SSO using one of the following options:

   1. Self-configure SSO in the onboarding portal and advise the MediMap Support team when completed

      OR

   2. MediMap configures SSO using provided information - select 'send details' in the onboarding portal.

   *The MediMap team will add the domain information (provided in the onboarding portal) into each site. 

   **This step will NOT affect any user's ability to login without SSO

4. Test SSO - add an email address to a user login and complete a successful login using SSO credentials.

5. Roll out SSO to your organisation

   Plan the rollout > Ensure user pin numbers are set > Complete validation testing > Go Live with SSO.

Configuring SSO

When entering SSO details on the onboarding portal, the following values are required:

These values will come from the IDP. The information given below is in the case the solution is Microsoft Entra.

1. From the Entra Admin Centre, Select App Registration. You will need to either:
   1. Select your existing app registration
   2. Create a new app registration
2. On your selected app registration add in the web redirect URL:
   1. For Australian customers: https://medimapauprd.b2clogin.com/medimapauprd.onmicrosoft.com/oauth2/authresp
   2. For New Zealand customers: https://medimapnzprd.b2clogin.com/medimapnzprd.onmicrosoft.com/oauth2/authresp

3. You will need to generate a client secret in your app registration:

   *Note - Take note of your secret expiry date as this will need to be updated once the secret expires.
   

    

4. Finally, take note of your Client ID (Application ID) and Tenant ID (Directory ID) on the App Registration Overview page. These values are required for the onboarding page:
   

    

5. Now you have the Client Secret, the Client ID and the Tenant ID. The Client ID and Client Secret can be entered directly into the form. The Tenant ID is entered into the OIDC metadata URL where {tenant id} is in the following URL: https://login.microsoftonline.com/{tenant id}/v2.0/.well-known/openid-configuration then, this URL is copied and pasted into the SSO Onboarding Site alongside the client id and client secret.

***See Helpful Tips below for potential errors and solutions while testing and configuring SSO ***

Pre Rollout Testing

If there is corporate login attached to the organisation, a corporate staff member can trial SSO by doing the following

1. Log into the corporate account

2. Go to settings and click edit on the login

3. In SSO username, add in the email address for SSO. Click save

4. Logout to the first login page and select Sign in with SSO and enter the email domain.
   * See Helpful Tips below for how this can be streamlined.

5. The SSO username will need to be added to each user's profile under each site or access point to add additional sites. Sign in and go to Settings > Facilities. Click on a Facility and search for the login under staff.

6. Then click on Edit and add the email into the SSO username field and save.
   Repeat this for all sites. The user will now be able to select from every site login when they login with SSO.

If an organisation does not have a corporate login, SSO can be enabled for any user by entering their email address into their MediMap login by clicking Edit on their profile in the Staff Changes settings page.

SSO Rollout

Preparing a Rollout Plan

There are different approaches that can be taken to roll out SSO to users. This is depending on what works for the organisation. Approaches to rolling out SSO include:

• Site by site.
• User group by user group (e.g. corporate staff first, registered nurses).

*Note - Every user account will need to have the SSO username (email address) added to their user profile details before you go live with SSO.

Setting User PIN Numbers

To prepare for rolling out SSO, an email address will need to be added to each user account that will be using SSO. This can be completed by clicking Edit on the user account, adding in the user's email in the SSO username field.

Because SSO users do not need a password to login, a PIN is required to be set up to perform certain actions in MediMap. These actions are:

• Signing in to MediMap Mobile
• Signing a double sign administration record

Once staff have signed into MediMap using SSO login for the first time, they should go to their settings menu and select Set PIN to set a PIN for their account:

Helpful Tips

To auto populate the domain hint to the SSO login page, a url can be saved with the organisation's domain hint where{url-here} is the domain hint (e.g. medimap.health): https://medi-map.co.nz/SSOLogin?domain_hint={url-here}.

This will auto populate the domain to the page, so it doesn't need to be entered each time.

Common Errors