Table of Contents

Tieto Lifecare/Procapita MFA and SSO with PhenixID Authentication Services

Warning

Please note, this document is using the legacy authenticators - in order to use the new protocol agnostic authenticators, you need to apply relevant modifications to the configuration examples outlined in this article.

Summary

This document will guide you through the steps to enable multi-factor authentication and Single-Sign On for the healthcare- and welfare application Tieto Lifecare ( https://www.tieto.com/en/who-we-serve/healthcare-and-welfare/healthcare/lifecare-for-secondary-care/) using SAML2.

System Requirements

  • PhenixID Authentication Server 2.7 or higher
  • Tieto Lifecare technical contact.

Instruction

Overview

This document will guide you through the steps to enable multi-factor authentication and Single-Sign on for Tieto Lifecare .

PhenixID Server acting as SAML IdP

  1. Setup PhenixID Authentication Services as a SAML IdP.

  2. Fetch the Tieto Lifecare user identifier value (personal number or HSA-ID (only for welfare)) from the user store or from the data produced by the authentication (such as a certificate attribute) (depending on your use case).

  3. [OPTIONAL] Fetch givenName and sn.

  4. Create an item property userid and populate with the value fetched in previous step.

  5. Use the userid as Name ID attribute.

  6. Add these attributes as additional attribute:

    userid,givenName,sn

  7. Go to Scenarios->Federation-> <newly_added_scenario> -> Identity Provider. Deselect “Require signed requests”. Save.

Configure Tieto Lifecare

  1. Send the IDP Metadata link at https://<YourServerDomainName>/saml/authenticate/<authenticator\_alias>?getIDPMeta to the Tieto Lifecare technical contact.
  2. Request Tieto Lifecare SAML SP metadata file from the Tieto Lifecare technical contact.

#Add trust to Tieto Lifecare on PhenixID Authentication Services

  1. Login to configuration manager
  2. Open Scenarios->Federation->SAML Metadata upload
  3. Click the plus sign
  4. Add Tieto Lifecare SAML SP Metadata by uploading the metadata file from the Tieto Lifecare technical contact.

Test

  1. Browse to your Tieto Lifecare site (ask the Tieto Lifecare technical contact for details).
  2. This should result in a redirect to PhenixID Authentication Server
  3. Authenticate
  4. If authentication was successful, a redirect to Tieto Lifecare should occur (with SAML assertion)
  5. The user should now be logged in.

Troubleshooting

  • If error message is presented on PhenixID Authentication Services page, please check server.log for details.
  • If error message is presented on Tieto Lifecare, please consult Tieto Lifecare logs for details.