Single Sign-On (SSO) allows your organization’s users to log in to Compliance Manager using the same credentials they use for your internal applications. This improves security, reduces password fatigue, and simplifies identity management across your workforce.
Compliance Manager supports SAML 2.0, a widely adopted enterprise authentication standard that enables secure Single Sign-On (SSO) integration with common identity management platforms, including Okta, OneLogin, and Active Directory Federation Services (ADFS).
Note: Most other SAML-compliant providers may also work because SAML 2.0 follows standardized authentication rules.
Before you begin, notify your users that once SAML SSO is enabled, they will be required to sign in through your organization’s Identity Provider and will no longer use their Compliance Manager password. Ensure that user email addresses match exactly between your Identity Provider and Compliance Manager user records, as this is required for successful authentication.
Follow the steps below to configure SAML Single Sign-On (SSO) for Compliance Manager. This flow applies to most customers using Okta, OneLogin, or ADFS.
Step 1: Review Service Provider (SP) Information
- Log in to Compliance Manager as an administrator or IT Manager.
-
Navigate to Admin → SAML SSO → Settings.
-
Review the Service Provider details:
- Entity ID - Identifies Compliance Manager as the Service Provider.
- Assertion Consumer Service (ACS) URL - Endpoint where your Identity Provider sends authentication responses.
- (Optional but recommended) Click Download SP Metadata and save the XML file.
Note: The SP Metadata file contains Compliance Manager’s SAML configuration and is commonly used when setting up the application in your Identity Provider.
Step 2: Configure the SAML Application in Your Identity Provider
- Log in to your Identity Provider’s admin portal (Okta, OneLogin, or ADFS).
- Create a new SAML 2.0 application or open an existing one.
-
Importing SP Metadata (recommended when supported):
- If your Identity Provider supports metadata import, select Import Metadata, Upload Metadata File, or Configure from XML.
- Upload the SP Metadata XML file downloaded from Compliance Manager and save.
- Importing SP metadata automatically populates required values such as the ACS URL and Entity ID, reducing manual errors.
-
If metadata import is not supported:
-
Manually enter the following values using the SP Metadata file as a reference:
- Entity ID
- ACS (Reply) URL
- Binding type (typically HTTP-POST)
-
Manually enter the following values using the SP Metadata file as a reference:
Note: Some Identity Providers require manual entry even when SP metadata is available.
-
Configure authentication attributes:
Set NameID to Email (recommended)
Ensure the email matches the user's email in Compliance Manager
Assign users or user groups to the application.
Save the application configuration.
Note: Do not enable SSO in Compliance Manager yet. Complete the Identity Provider setup first.
Step 3: Obtain Identity Provider (IdP) Metadata
(In Your Identity Provider)
- Download the IdP Metadata XML file, or copy the IdP Metadata URL if provided.
-
Confirm the metadata includes:
- IdP SSO URL
- IdP SLO URL (if supported)
- Signing certificate
- Identity Provider Entity ID
- This metadata is required for Compliance Manager to trust your Identity Provider.
Step 4: Import IdP Metadata into Compliance Manager
- Navigate to Admin → SAML SSO → IDP Metadata Parser.
- Paste the Metadata URL or upload the Metadata XML file.
- Click Parse Metadata, review the values, then click Save Settings.
- The system automatically populates Identity Provider fields on the SAML SSO Settings page.
Note: If your Identity Provider application is already configured and IdP metadata is available, you may start directly with this step. Otherwise, complete Steps 1–3 first.
Step 5: Review and Enable SAML SSO Settings
- Return to Admin → SAML SSO → Settings.
-
Verify the following fields are prefilled:
- IdP SSO URL
- IdP SLO URL (if applicable)
- Certificate and fingerprint
-
Complete the remaining configuration:
- Enable SAML Integration
-
Select your Identity Provider.
- (Optional) Enable Disable Login via Healthicity to enforce SSO-only login.
Click Save.
Step 6: Test the SSO Login Flow
- Log out of Compliance Manager.
- Navigate to the Compliance Manager login page.
- Confirm redirection to your Identity Provider.
- Sign in using organizational credentials.
- Verify successful redirection back to Compliance Manager.
Tip: If login fails, confirm email matching, metadata accuracy, and certificate validity.
Notes:
- SSO takes effect immediately. Test thoroughly before enabling it in production.
- Email addresses must match between your Identity Provider and Compliance Manager.
- Users must exist in your IdP before they can sign in.
- Monitor certificate expiration and re-import metadata when certificates change.
- When using SAML SSO, Compliance Manager MFA must be disabled for SSO users.
- Notify internal teams and users before rollout to avoid access issues.
© Healthicity, LLC
Comments
0 comments
Please sign in to leave a comment.