Skip to main content

Epic EPCS SAML integration

This topic covers the SAML configurations in the SecureAuth® Identity Platform to securely allow the right user access to e-prescribing controlled substances (EPCS) in the Epic Haiku and Epic Canto mobile apps connected to the Epic EPCS database.

Prerequisites

  • Access to Epic EPCS for Epic Haiku and Epic Canto mobile apps

  • Identity Platform 21.04 or later

  • Have a defined user login policy in the Identity Platform

  • Have an integrated data store in the Identity Platform

Identity Platform configuration

  1. On the left side of the Identity Platform page, click Application Manager.

  2. Click Add an Application.

    The application template library appears.

  3. From the list of application templates, select SAML Application.

  4. On the Applications Details page, set the following configurations.

    Application Name

    Set the name of the SAML configuration for the Haiku and Canto EPCS workflow.

    This displays on the Application Manager list and to end users in the login workflow.

    Application Description

    This is an internal description not shown to end users at login.

    Upload logo

    Optionally upload a logo for the Haiku and Canto EPCS workflow.

    Authentication Policy

    Select the login authentication policy for the Haiku and Canto EPCS workflow.

    Data Stores

    Enter the data stores to to authenticate and allow user access for the Haiku and Canto EPCS workflow.

    Start typing to bring up a list of data store names. You can enter more than one data store.

    Groups

    Use one of the following options:

    • Slider in the On position (enabled): Allow users from every group in your selected data stores access to this application.

    • Slider in the Off position (disabled): Enter the specific groups who are allowed access to this application.

    Application details

  5. Click Continue.

    The Connection Settings page appears.

  6. In the Configure Connection section, set the Connection Type to SP Initiated by Post.

    The user login process starts in the Epic Haiku or Epic Canto mobile app, then redirects the user to the Identity Platform for authentication. Upon successful authentication, it asserts the user back to the Epic Haiku or Epic Canto app.

    It uses the SAML specification to send authentication requests (AuthNRequest) using HTTP Redirect binding with the signature related to the request.

    saml_app_by-post.png

  7. In the User ID Mapping section, set the following configurations.

    User ID Profile Field

    Select the profile field in your data store that contains the user IDs.

    For example, if the Epic Haiku and Epic Canto app login accepts a username like jsmith, you could set it to Authenticated User ID.

    Otherwise, if the Epic Haiku and Epic Canto app login requires an email address, you could use another available profile like User ID, Email 1 (Work), Aux ID 1, and so on.

    Note

    If you select a user profile field other than Authenticated User ID, make sure you have the data store field attribute correctly mapped to an available profile property, like Email 1 (Work) set to mail.

    Data store properties

    Name ID Format

    The name ID format to use for sending the SAML response.

    Use the default setting, which is set to unspecified as in: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified

    User ID mapping

  8. In the SAML Assertion section, set the following configurations.

    Upload Metadata

    If you have a preconfigured XML file with your SAML settings, select the Upload Metadata link at the bottom right of the page.

    Note

    To use the metadata upload feature, you must provide an issuer, map user ID values, and select a certificate to properly configure the connection.

    After the file is uploaded, review the prepopulated fields and make the necessary edits.

    IdP Issuer

    A unique name that must match exactly on the Identity Platform side and in the Epic database for the Epic Haiku and Epic Canto mobile apps.

    This helps the Epic database identify the Identity Platform as the SAML issuer.

    For example, https://idp.example.org/SAML2

    Assertion Consumer Service (ACS)

    Enter the endpoint URL from Epic database to let the Epic Haiku and Epic Canto EPCS workflow accept a SAML assertion from the Identity Platform.

    For example, epic://sp.example.com

    Relay State

    Optional. User is directed to this URL after authentication.

    Recipient

    Optional. This field is usually the same as the consumer (ACS) URL.

    For example, epic://sp.example.com

    Audience

    Set to a unique string that identifies the Epic database as the service provider (SP). Usually, this is the entity ID of the Epic database.

    For example, https://idp.example.org/SAML2

    SP Login URL

    This is the login URL of the Epic database as a service provider (SP).

    Usually, this is the same address the Relay State or Assertion Consumer Service (ACS) URL.

    For example, https://idp.example.org/SAML2

    Assertion will be valid for

    Indicate in hours and minutes, how long the SAML assertion is valid.

    It is referred to as SAML NotOnOrAfter in the SAML specifications.

    The default setting is one hour, but for more sensitive application resources, the recommended value is between one to five minutes.

    Offset Minutes

    Indicate in minutes to account for the time differences among devices.

    This is referred to as SAML NotBefore in the SAML specifications.

    Recommended value is five minutes.

    IdP Signing Certificate

    Click Select Certificate, choose the IdP signing certificate to use, and then click Select to close the box.

    IdP Signing Certificate Serial Number

    When you select an IdP signing certificate, the serial number populates this field.

    Signing Algorithm

    The signing algorithm digitally signs the SAML assertion and response.

    Choose the signing algorithm – SHA1 or SHA2 (slightly stronger encryption hash and is not subject to the same vulnerabilities as SHA1).

    Sign SAML Assertion

    Indicate whether the Identity Platform signs the SAML assertion sent to the Epic database as the service provider (SP).

    The signed certificate ensures assertion integrity from the Identity Platform.

    Sign SAML Message

    Indicate whether the Identity Platform signs the SAML message, including the SAML assertion, sent to the Epic database as the service provider (SP).

    The signed certificate ensures message integrity from the Identity Platform.

    Encrypt SAML Assertion

    Indicate whether the Identity Platform sends an encrypted SAML assertion to the Epic database as the service Provider (SP).

    If the slider is ON, then select the data and key encryption methods:

    • Data Encryption Method – Select the algorithm of the data encryption method

    • Key Encryption Method – Select the type of key encryption method (symmetric or asymmetric)

    SAML configuration settings

  9. If more information from the directory needs to be sent in the assertion, in the SAML Attributes section, click Add SAML Attribute and set the following configurations.

    Attribute Name

    Provide the attribute name from the directory to which identifies the user to the Epic database.

    For example, givenname

    Data Store Property

    Select the data store property which maps to this directory attribute.

    For example, First Name

    Namespace (1.1)

    Set the authorization URL to tell the Epic database which attribute is being asserted.

    Filtered Group

    Provide the group names from the directory to ensure users have appropriate view permissions based on their group membership. You can use a full regular expression or full group domain name list.

    When the Data Store Property is set to Groups, use the regular expression like this: .*(Group1|Group2|Group3)

    When the Data Store Property is set to Full Group DN List, use the full group domain name list like this: .*(cn=admin,dc=acme,dc=com|cn=devops, dc=acme,dc=com)

    saml_app_008_20_06.png

  10. Click Add Application.

    After saving the application, the Information for Service Providers page appears.

  11. To complete the integration and establish a working connection with SecureAuth, provide the following information as required to the Epic database.

    Login URL, Logout URL, IdP Issuer

    Click Copy to Clipboard to copy the Identity Platform realm information and paste it in the corresponding field on the service provider user interface, as required.

    IdP Signing Certificate

    Download the IdP Signing Certificate.

    Download Metadata

    To download the metadata file:

    1. Click Download Metadata.

    2. Enter the Domain name to the Identity Platform instance URL or IP address.

      For example, https://secureauth.company.com or https://111.222.33.44

      Metadata file download

    3. Click Download to get the configuration file.

    4. Use this metadata file for the Epic database in the next section.

  12. Click Continue to Summary to review the application settings.

    SAML configuration summary

  13. Click Back to Application Manager to find the application added to the list.

Epic configuration

For your organization's instance in Epic, set up the following to enable integration with the Identity Platform as an authentication device for the EPCS workflow in Epic Haiku and Epic Canto mobile apps.

  1. In Epic, create an authentication device (E0G) record and specify the Identity Platform as the primary device for Epic Haiku and Epic Canto EPCS context.

  2. Using the metadata file downloaded from the Identity Platform, make the following configurations:

    1. Create a relying party trust.

    2. Ensure the endpoints used by the Epic authentication devices are exposed.

    3. Export the SSL certificate file in base64-encoded X.509 format to a directory that is accessible from the Epic database server.

  3. Enter the path to the certificate file in the authentication device record.

In this section: