Hello! How can we help?
This document is intended for an IT Administrator and assumes that the readers have a basic understanding of Single Sign-On.

Overview of Single Sign-On with Inova

What is Single Sign-On and its benefits?

The Single Sign-On (SSO) Authentication allows a user to access multiple applications with a single set of credentials.
The advantages are multiple: users can navigate applications securely without specifying their credentials each time, thus saving time and reducing the risk of forgetting their password.

Does Inova Support SSO?

Inova supports SSO via the OpenID Connect (OIDC) 1.0 protocol and acts as a Service Provider (SP).

We have decided to rely on the OpenID Connect 1.0 protocol instead of SAML 2.0 because of all the benefits OIDC offers (ease of implementation, security, etc.).
Moreover, with OIDC, we no longer need to manage certificates as we did before with SAML. Instead, we use a client ID and a client secret.

If your security policy does not allow you to use the OIDC protocol, we can adapt and use the SAML 2.0 protocol instead. But we would prefer that this remains an exception where possible.
Please contact your Customer Success Manager or Inova Support to find out how to proceed.

Setting Up Single Sign On

Identity Provider Requirements

Please ensure that Inova’s domain auth.inova-application.com is whitelisted on your end.

Procedure

To help you configure your IdP, please find below detailed procedures to download and a summary table.

IdP Detailed procedure Elements you will need from us for your set up Elements to send to Inova
Microsoft Azure AD IDP-AzureAD-OpenIDConnect-Instructions.pdf Redirect URI: https://auth.inova-application.com/auth/realms/<realm_name>/broker/oidc-azure/endpoint

1. OpenID Connect metadata document

2. Application (client) ID

3. Client secret value

4. Client secret Expiration Date

Okta IDP-OKTA-OpenIDConnect-Instructions.pdf

Redirect URI: https://auth.inova-application.com/auth/realms/<realm_name>/broker/oidc-okta/endpoint

 

Sign-out redirect URIs:
https://auth.inova-application.com/auth/realms/<realm_name>/broker/oidc-okta/endpoint/logout_response

1. Client ID
2. Client secret
3. Okta domain
AD FS 2016 and later IDP-ADFS-OpenIDConnect-Instructions.pdf Redirect URI: https://auth.inova-application.com/auth/realms/<realm_name>/broker/oidc-adfs/endpoint 1. Client Identifier
2. Client secret
3. ADFS OpenID Connect Metadata file URL (e.g. https://<your-domain>/adfs/.well-known/openid-configuration)
CyberArk Idaptive IDP-CyberArkIdaptive-OpenIDConnect-Instructions.pdf

Redirect URI: https://auth.inova-application.com/auth/realms/<realm_name>/broker/oidc-idaptive/endpoint

 

Resource application URL: https://<realm_name>.partneringplace.com/inova-partner

1. Client ID
2. Client Secret
3. Metadata URL
OneLogin IDP-OneLogin-OpenIDConnect-Instructions.pdf

Redirect URI: https://auth.inova-application.com/auth/realms/<realm_name>/broker/oidc-onelogin/endpoint

 

Login URL: https://<realm_name>.partneringplace.com/inova-partner

1. Client ID
2. Client Secret
3. Issuer URL (Well-known Configuration)
Ping Identity IDP-PingIdentity-OpenIDConnect-Instructions.pdf Redirect URI: https://auth.inova-application.com/auth/realms/<realm_name>/broker/oidc-ping/endpoint 1. OIDC Discovery Endpoint
2. Client ID
3. Client Secret
VMware ONE Access IDP-VMwareONEAccess-OpenIDConnect-Instructions.pdf

Redirect URI: https://auth.inova-application.com/auth/realms/<realm_name>/broker/oidc-vmware/endpoint

 

Target URL: https://<realm_name>.partneringplace.com/inova-partner

1. Client ID
2. Client Secret
3. OpenID Connect metadata URL. It should look like that:
https://<your-url>/SAAS/auth/.well-known/openid-configuration
Keycloak IDP-Keycloak-OpenIDConnect-Instructions.pdf Redirect URI: https://auth.inova-application.com/auth/realms/<realm_name>/broker/oidc-keycloak/endpoint 1. Client ID
2. Client Secret
3. OpenID Endpoint Configuration URL
Google Cloud Platform (GCP) IDP-GCP-OpenIDConnect-Instructions.pdf Redirect URI: https://auth.inova-application.com/auth/realms/<realm_name>/broker/oidc-gcp/endpoint 1. Client ID
2. Client secret
Please replace <realm_name> by your actual realm name.
You'll find it at the beginning of the URL you use to access your Inova application.
So for example, if the URL of your Production environment is https://inovaio.partneringplace.com/inova-partner, then your realm name will be inovaio.
For other IdPs or if you have any doubts on how to get this Redirect URI, please contact your Customer Success Manager or Inova Support.

Implementation Steps

If you have a test environment (UAT), we will start by implementing SSO on that environment.
Once everything is validated on UAT, we do the same on Production.

Steps Who? What?
1 You Start the set up on your IdP by following the appropriate procedure and then sends us the elements we need.
2 Inova Continue the set up on our Authentication System and then send you a test link which aims to validate with you that the configuration is correct on both sides.
3 You

Validate the test link by following the instructions below:

 

1. Click on the following test link: https://auth.inova-application.com/auth/realms/<realm_name>/account/#/applications

Please replace <realm_name> by your actual realm name, see the explanations here.

 

2. Once the login page loaded, add the following string to the end of the URL generated and then press enter:

- For Microsoft Azure AD, add this string: &kc_idp_hint=oidc-azure

- For Okta, add this string: &kc_idp_hint=oidc-okta

- For ADFS, add this string: &kc_idp_hint=oidc-adfs

- For CyberArk Idaptive, add this string: &kc_idp_hint=oidc-idaptive

- For OneLogin, add this string: &kc_idp_hint=oidc-onelogin

- For Ping Identity, add this string: &kc_idp_hint=oidc-ping

- For VMware ONE Access, add this string: &kc_idp_hint=oidc-vmware

- For Keycloak, add this string: &kc_idp_hint=oidc-keycloak

- For Google Cloud Platform (GCP), add this string: &kc_idp_hint=oidc-gcp

 

Example for Okta:

URL_to_modify_Okta.png

 

3. If everything goes well, you should be redirected to your IdP's login page to enter your credentials and then land on a test page that looks like that (your first and last name should be visible in the upper right corner):

Test_Page.png

 

4. However, you may face a page saying that your account already exists:

Account_Already_Exists.png

In this case, this is normal and expected. Please click on “Add to existing account”. You will then receive an email from Inova Authentication System with a link inside. Please check your mailbox and click on the link provided.

Link_to_confirm_account_linking.png

You should land on the test page and see your first name and last name on the top right corner.

4 You/Inova If the test link does not work as expected, inform Inova of the error message you are getting and correct any issues that may arise during the authentication flow (most often these are mapping issues or incorrect client secret sent to Inova).
5 You If the test link works as expected:
1. Confirm the result to Inova. If possible, add a screenshot of the test page you get.
2. Please also confirm to Inova that you have authorized the desired users/groups to use the new application(s) you just created in your IdP. It is very important that this is done before enabling SSO, otherwise no one will be able to log in.
6 Inova/You Check on our Authentication System that there is no mapping issue. It is very important that the username transmitted by your IdP is equal to the email address to avoid any issue.
- If all is well, go to the next step.
- Otherwise, keep you informed of the mapping issue so that you can fix it.
7 Inova

Schedule with you the date & time on which the SSO will be activated.

- No intervention is required by you for this step.

- It will take about 1 hour, your application will be unavailable during this time.

- We usually arrange to do this at a time that will cause the least disruption to users.

8 Inova Inform you as soon as the SSO is activated.
9 You Validate that everything is working properly and that users can log in successfully. Please send a confirmation to Inova.
If SSO is already enabled for your applications and you want to change your identity provider, the procedure is the same.