athenahealth supports outbound Single Sign On (SSO) using the SAML 2.0 standard, from athenaNet to a solution's application. athenaNet, acting as the identity provider (IdP), can provide the following data, encoded in a SAML assertion, to any solution that is configured as a service provider (SP).
What data is able to be passed from athenaNet to a solution inside the user’s SAML assertion?
- athenaNet Username
- User's First Name
- User's Last Name
- Practice ID (also called a "Context ID")
- Department ID (the department the user is currently logged into)
- Patient ID being viewed in some contexts
- Email (if the user has one stored in athenaNet). Please note, this is not a required field, so not all users will have an email address passed in their requests SAML assertion.
- Optional: "extraidentifier" (this can be used to send encounterid for when the file link is clicked while the user is inside the encounter workflow)
The extraidentifier variable, listed above, is a solution-specified value that can be passed from athenaNet to a solution's application, in the SAML assertion, to help the solution’s application direct the user’s request to the appropriate resource in the solution’s application.
What does my company need to do if we are interested in establishing an SSO link for athenaNet users into my application?
Please speak with your athenahealth Business Development contact or Technical Lead. If a validated solution is Generally Available (GA), Marketplace Partners should fill out an enhancement form to start the SSO integration process, and clients should contact their account manager.
My company is scoping our SSO deployment and wondering if athenahealth can offer and software recommendations?
What SSO standards does athenaNet’s SSO integration support?
We are using Identity Provider Initiated (IdP) SAML 2.0.
With which SSO implementations does athenaNet’s SSO integration work?
athenaNet is using Okta and Ping Identity's platform as our SSO solution. We can integrate with any SAML 2.0 standard implementation. We have seen some cases where the SAML 2.0 specification was not followed, which can lead to integration issues; we strongly suggest using existing solutions of "roll-your-own."
What data does athenaNet need from my server to configure my application as a service provider (SP)?
Your contact at athenahealth will work with you to collect the following information. Apart from the first element, we are generally able to use SAML metadata files to help exchange this information.
- Name, phone number, and email address of a technical contact who will lead your SSO implementation.
- Default Endpoint URL for solution's service. This is added to athenaNet.
- Assertion Consumer Service location. This is where we POST the SAML assertion.
- Allowable SAML bindings. Normally this is POST and/or redirect.
- If you wish to use SP-initiated SSO, we will work out the exchange of the SP's certificate. For SP-initiated SAML, we do require signed SP-initiated requests.