Trella Health SSO Technical Guide

Owned by Pierre Menard
Last updated: Nov 16, 2023
2 min read

Overview 

Customers who have access to Trella Health systems may be interested in authenticating with their own Identity Provider (IdP). This document outlines the information a customer’s IT department would need to setup single-sign-on (SSO) using their IdP and establishing connectivity to Trella Health’s Service Provider (SP). 

 

SSO Process 

SSO is a method for reusing your company-provided authentication credentials and access control mechanisms to gain access to systems managed by third parties such as Trella Health. When a user at your company accesses Trella Health systems, instead of presenting the user with a Trella Health login screen, your company’s login screen can be presented instead.

Once your IdP authenticates the user, your IdP shares the user’s email address with Trella Health and we are able to match the user based on email address.

Individual users must be created and set up in Trella Health systems prior to being granted access. Trella Health can delegate authentication to your IdP, however authorization remains with Trella Health.

Supported Authentication Protocols 

Trella Health supports both SAML2 and OpenID Connect (OIDC). Customer must decide which of these two SSO methods to enable.

Note, Trella Health only supports SP-initiated SSO where a user initiates login by navigating to a Trella Health provided URL. Trella Health does not support IdP-initiated SSO where a user initiates login directly from the Customer IdP.

Establishing Connectivity

In order to setup SSO, two things must happen. First, Customer must update their IdP with Trella Health’s service provider (SP) information. Second, Trella Health must receive an XML metadata file describing your IdP endpoint.

Trella Health SP metadata are as follows:

Production Settings

SAML Assertion endpoint: https://auth.trellahealth.com/saml2/idpresponse

OIDC Token endpoint: https://auth.trellahealth.com/oauth2/idpresponse

SP urn: urn:amazon:cognito:sp:us-east-2_4q9sQPC7X

Customer Action Steps

  • Customer selects from either SAML or OIDC SSO methods and uses the above SP metadata to update their IdP.

  • Customer sends Trella Health the IdP metadata file. Please ensure the user’s email address is included in authentication responses. For example, with SAML, the authenticated users email address should be included as a SAML attribute as part of the SAML response.

  • Please also provide all the email domain names used by your users. The email domain name is used to route authentication requests to the correct IdP.

Technical Support

Throughout this process, the Trella Health technology team is available to work with you and ensure success by emailing support@trellahealth.com.