PointClickCare – Single Sign On (SSO) with Active Directory Federation Services (ADFS)

Below is a step by step walk through on how to configure PointClickCare SSO with ADFS. PointClickCare will provide you with metadata XML files in which you will use to build the relying party trust. These files are unable to be imported into ADFS and we must pull the information from them manually. You will create one relying party and claim rules for each Single Sign On Endpoint (Web App, POC, eMar, Mobile App)

Gather Relying Party details from XML file

EntityID – Within the md:EntityDescriptor element will be entityID. Record the value within the quotes (Ex: pointclickcare.com:saml2:entityid:06-00-001″

Assertion Consumer URL – Within the md:AssertionConsumerService element will be Location. Record the value within the quotes (Ex: https://sso.pointclickcare.com/sp/##############

Signature Certificate – Find <ds:X509Data><ds:X509Certificate>. Copy the value between those two XML elements and</ds:X509Data></ds:X509Certificate>. Paste the value into notepad and save it as a .cer file. Make a note of this expiration date as the certificate will need to be updated on the relying party configuration when PointClickCare renews it.

Create the Relying Party Trust

Open Active Directory Federation Services, go to Relying Party Trusts and click Add Relying Party Trust

Choose Claims aware

Choose Enter data about the relying party manually

Enter a name for the relying party trust. Here are some recommended names depending on the relying party trust.
PointClickCare – Web App
PointClickCare – POC App
PointClickCare – eMar App
PointClickCare – Mobile App

Don’t add a token encryption certificate, just click Next.

Check the box Enable support for SAML 2.0 WebSSO protocol and enter the Assertion Consumer URL you recorded from the XML file.

Add the EntityID that you recorded from the XML file and add it to the list of Relying party trust identifiers

If you plan to use an access policy, select the appropriate one or choose Permit everyone

Click Next on the review page

Uncheck Configure claims issuance policy for this application and click Close. We will do this later

Right click on the new Relying Party Trust and click Properties

Go to the Signature tab and click Add. Browser to the .cer certificate file you created in the beginning and then click Apply

Go to the Endpoints tab and click on the SAML Assertion Consumer Endpoint and click Edit. Check the box Set the trusted URL as default and click OK.

As of this writing, PointClickCare doesn’t offer Single Log Out with ADFS so we will configure it within ADFS. Click Add SAML on the Endpoints tab.

Change Endpoint type to SAML Logout and Binding to Redirect.
For the Trusted URL enter your ADFS signout URL (Ex: https://publicfqdn.com/adfs/ls/?wa=wsignout1.0)
Leave Response URL blank and click OK

Click OK on the Relying Party properties page.

Create the claims

Right click the Relying Party Trust again and choose Edit Claim Issuance Policy

We are going to add a total of 6 claims. Pay careful attention to the following directions

Click Add Rule and choose Send Claims using a Custom Rule

Name the claim rule SSO Key. Enter the custom rule

=> issue(Type = "ssoKey", Value = "YOURSSOKEY_FROM_PCC");

Click Finish/OK and click Add Rule and choose Send Claims using a Custom Rule

Name the claim rule Org Code. Enter the custom rule

=> issue(Type = "orgCode", Value = "YOUR_PCC_ORG_CODE");

Click Finish/OK and click Add Rule and choose Send Claims using a Custom Rule

Name the claim rule Module and enter the custom rule

=> issue(Type = "destmodule", Value = "MODULE");

PointClickCare Web App = PCC_WEB
PointClickCare Point Of Care (POC) = POC
PointClickCare eMar = EMAR

(Note: This claim is not used if you’re setting up the Mobile relying party)

Click Finish/OK and click Add Rule and choose claim rule Send LDAP Attributes as Claims.

Name the claim rule Username and select the attribute store Active Directory

IMPORTANT: The LDAP field that you’re about to select must be a one to one match to the PointClickCare Login Name field for each user. Most probably use the sAMAccountName, which means they log into a computer on your domain with the same username as they log into PointClickCare. If this is a new PointClickCare environment or you’re leveraging UAP you could also use a custom attribute in LDAP. Please note, this LDAP attribute has nothing to do with what the end user logins into the computer with (although it could be one in the same), it is only used to tell PointClickCare who the user is.

Select the LDAP Attribute that contains the unique identifier between Active Directory and PointClickCare. On the Outgoing Claim Type enter username all lowercase with no spaces.

Click Finish/OK and click Add Rule and choose claim rule Send Claims using a Custom Rule

(Note: This claim is not used if you’re setting up the Mobile relying party)

Name the rule Get Username for Subject and enter the following claim below. If you are not using sAMAccountName, change the two references below to the LDAP attribute you’re using.

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> add(store = "Active Directory", types = ("temp:sAMAccountName), query = ";sAMAccountName;{0}", param = c.Value);

Click Finish/OK and click Add Rule and choose claim rule Send Claims using a Custom Rule

Name the rule Create Subject with Username and enter the following claim below. Again, if you’re using a different LDAP attribute, change the name of the temp value to match. Relpace YOUR_ORG_CODE with your PointClickCare organization code. Be sure to keep the period at the end of the org code.

c:[Type == "temp:sAMAccountName"]
=> issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Value = "YOUR_ORG_CODE." + c.Value);

Click Finish/OK

The next claim is only used for the Mobile relying party.

Click Add Rule and choose claim rule Send Claims using a Custom Rule. Name the claim rule Org ID and enter the following rule below. Replace the value with the Org ID provided by PointClickCare for Mobile

=> issue(Type = "orgId", Value = "XXXXXXXX");

Click Finish/OK. You’ve finished the setup for the relying parties.

Validating ADFS Configuration

PointClickCare’s SSO works with an IDP Iniated setup which require changing/verifying two settings on the ADFS servers. On your ADFS server, open Powershell and run the following command. If either of them say false, you’ll need to enable them. You will need to restart the ADFS service for these to take effect.

To Verify
Get-AdfsProperties | Select EnableIdpInitiatedSignonPage, RelayStateForIdpInitiatedSignOnEnabled
To Set
Set-AdfsProperties -EnableRelayStateForIdpInitiatedSignOn $true
Set-AdfsProperties -EnableIdPInitiatedSignonPage $true

Creating the shortcut to use SSO

We will build the URL’s necessary for your users to access PointClickCare using SSO. In the previous step we enabled relay state, which allows the ADFS server to identify the relying party within the URL and provide a streamlined experience for your users.

Obtain your Idp initiated signon URL. It should be https://publicfqdn.com/adfs/ls/IdpInitiatedSignon.aspx. You can browse to this page and see your relying parties and test the SSO with PointClickCare.

Obtain the relying party identifier for the shortcut you’d like to make. For example, if creating a shortcut for Point Click Care Web App the identifier should be pointclickcare.com:saml2:entityid:06-00-001.

Finally the last url you need is the target and that is sso.pointclickcare.com.

Head over to https://jackstromberg.com/adfs-relay-state-generator/ and enter the information you just gathered and general the URL. You can now visit that URL and once authenticated it will log you directly into PointClickCare.

Leave a Comment

Your email address will not be published. Required fields are marked *