Set up SSO for your organization

Last updated: May 22, 2024

DEVELOPER

IMPLEMENTATION

HEALTH TECH VENDOR

Single sign-on (SSO) allows you to access your Redox dashboard account using a third-party identity provider (IdP). SSO helps control user access policies via a central resource for your organization.

Redox supports:

identity providers compatible with the SAML protocol
SSO initiated from Redox, not identity providers

With SSO, a user from your organization enters their email on the dashboard login page, which then redirects them to your identity provider for authentication. If successfully authenticated, they're redirected back to the dashboard as a logged-in user.

Advanced feature of Redox Nexus™

SSO is available as an advanced feature of Redox Nexus. Talk to a Redoxer if you're interested in upgrading to take advantage of SSO.

But SSO is only available to dashboard users that belong to one dashboard organization. If your organization has users that are part of multiple organizations, they must remove themselves or transfer access to a different Redox account before using SSO.

If you run into any errors with SSO, refer to our troubleshooting tips.

Only for organization owners

You must be assigned to an organization owner role to view and manage SSO settings. If not, you'll see a warning instead of the SSO settings. Learn about roles.

This how-to is only for users with an organization owner role.

Configuring in the dashboard

For Standard (and above) customers, an organization owner can follow these steps to turn on SSO:

Log in to the dashboard.
On the navigation menu, your username displays at the bottom. Click your username for the user menu to appear.
From the user menu, select the Organization Profile option.
Organization Profile option of the user menu
By default, the Organization Info page displays. Click the Settings tab.
The SSO information displays. First, we provide the Redox authorization server values. Use the Connection name value and Audience restriction value in your IdP configuration.
Redox authorization server values
Next, the Identity provider configuration contains details about your IdP. Specific configuration details vary between IdPs, but the basic process is the same. Fill in the relevant fields:
- Name: Enter a friendly name to represent your IdP.
- Domain name: This field automatically populates with the company domain and isn't editable. The domain is where your organization's users have an email account.
- Configuration mode: Select the radio button option for one of these two options.
  - URL import: Enter the public URL for your SAML metadata XML document. Redox pulls the entity ID and keys to validate the response from the IdP.
    IdP configuration - Import option
  - Manual: Provide the entity ID and keys yourself.
    - Signing certificate: Enter the public key that your IdP uses to sign requests. This should be an X.509 certificate encoded in PEM or CER format. You can download the certificate from your IDP's system. Review the instructions for locating the certificate for your relevant IDP at the end of this page.
    - Sign-in URL: Enter the redirect URL for users in your organization to log in to the IdP.
      IdP configuration - Manual option
Confirm the Attribute mapping. These fields populate automatically, but you should confirm them or adjust as needed.
Attribute mapping
- User full name: The name of the SAML attribute that your IDP uses for a user's full name.
- User email: The name of the SAML attribute that your IDP uses for a user's email address.
Once you've populated the editable fields and confirmed everything, click the Save button.
Test before enabling SSO
We recommend configuring and testing your SSO configuration with your identity provider before enabling SSO in the Redox dashboard. If you enable SSO without testing, you risk getting locked out of your organization.
Under the Organization Settings, an Enabled for Organization toggle appears. If you choose to disable SSO later, you can toggle this option to off.
SSO enabled for your organization
After saving successfully in the dashboard, you must refer to your IdP for instruction on how to configure the SAML protocol from their end.
IdP instructions
Check out the instructions we have for configuring the SAML protocol for common IdPs after this section.
Once you've successfully enabled SSO in both the Redox dashboard and your IdP, all users must log in via SSO going forward. Previous username and password credentials no longer work.

After SSO is enabled, any new user who successfully authenticates via your identity provider is added to your organization. Existing users of your organization may not join another Redox organization.

Lastly, keep in mind that user access may be revoked by your IdP.

Configuring SAML protocol

Follow the instructions for your given IdP to enable SSO. For your convenience, we have instructions for the following IdPs.

Only support SSO initiation from Redox

Remember that Redox only supports initiating SSO from the service provider side, i.e., from the Redox dashboard. When a user tries to log in to the Redox dashboard, we redirect them to your identity provider for authentication. After successful authentication, the user is directed back to the Redox dashboard.

This means you won't be able to launch SSO to Redox through your identity provider.

Where to find the Connection URL

Look no further than the Redox dashboard to find the Connection URL. The value is specific to your Redox organization's IDP configuration.

For Okta

Log in to your Okta admin dashboard.
Click the Applications tab, then the Integration network option.
On the Integration network page, click the Create a New App button.
The Create a new app integration page opens. Select the SAML 2.0 option, then click the Next button.
Create a new app integration
The General Settings opens. Enter an app name for your SAML protocol, then click the Next button.
General settings
The SAML Settings opens. Enter the following values:
- Single sign on URL: The Redox auth URL (https://auth-v2.redoxengine.com/login/callback?connection=<CONNECTION_NAME>)
- Audience URI: The intended audience of the SAML assertion (urn:auth0:redoxprod:<CONNECTION_NAME>). Copy this from the Redox dashboard (step #8 in the previous section).
  Okta SAML Settings
Scroll down to the Attribute Statements settings and add the following statements.
1. Add a statement for the email address attribute:
  - Name: The attribute name (http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress)
  - Name format: The specified format for the name (Unspecified)
  - Value: The name value (user.email)
2. Add a statement for the name attribute:
  - Name: The attribute name (http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name)
  - Name format: The specified format for the name (Unspecified)
  - Value: The name value (user.firstName+""+user.lastName)
    Attribute statements
Once the SAML fields are populated, click the Next button.
On the next page, select the I'm an Okta customer adding an internal app option.
Another set of options appears. Select the This is an internal app that we have created option, then click the Next button.
On the next page, click the Sign On tab.
In the SAML Signing Certificates section, your active signing certificate appears. Click the Actions drop-down menu.
From the drop-down menu, click the Download certificate option. This is the public key that you paste into the Redox dashboard under the Organization Profile Settings in the Signing certificate field.
Download certificate
From the Actions drop-down menu again, click the View IDP metadata option.
View IdP metadata
A new tab opens. Copy the metadata URL and paste it into SAML metadata URL field in the Redox dashboard. Remember this is under the Organization Profile Settings in the Identity Provider section.
Paste in the SAML Metadata URL field
Scroll down and click Save in the Redox dashboard after updating the Organization Profile Settings.
In Okta, click the View SAML setup instructions button on the right-hand side.
A new tab opens. Copy these values and paste them in the Redox dashboard:
- Paste the Identity Provider Single Sign-on URL in the Sign-in URL field in the dashboard.
- Paste the Signing Certificate in the Signing Certificate field in the dashboard.
Back in the Okta admin dashboard, assign users to the Redox application.

For Microsoft Azure Active Directory

Log in to your Azure portal.
Navigate to the Azure Active Directory page.
The directory's Overview page opens. On the navigation menu, click the Enterprise applications page.
All of your applications display on the page. Click the New application button.
The Browse Azure AD Gallery page opens. Click the Create your own application button.
A modal opens for your new application. Enter a name for the Redox dashboard application and select the Integrate any other application you don't find in the gallery (Non-gallery) option. Then click the Create button.
Create your own Azure application
The enterprise application Overview page opens. Click the Set up single sign on option.
The Single sign on page opens. Click the SAML option.
The SAML-based Sign-on settings opens. For the Basic SAML Configuration option, click the Edit button.
Edit the SAML settings
The Basic SAML Configuration modal opens. Enter the SAML settings:
- Click the Add identifier link and replace the default identifier ID (entity ID) with the new identifier: urn:auth0:redoxprod:<CONNECTION_NAME>.
- Click the Add reply URL link and enter the Redox auth URL: https://auth-v2.redoxengine.com/login/callback?connection=<CONNECTION_NAME>.
- After both values are entered, click the Save button at the top.
  SAML settings
The modal closes. Back on the SAML-based Sign-on settings, click the Edit button for the Attributes & Claims option.
Edit the Attributes & Claims
The Redox dashboard currently requires claims for the user’s name and email address. Use the default SAML claims configured in the Azure active directory application, or modify them to meet your organization’s needs. The defaults are the following:
- Email: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress.
- Name: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name.
Back on the SAML-based Sign-on settings, locate the App Federation Metadata URL under the SAML Signing Certificate option. Copy the metadata URL and paste it into the Redox dashboard.
The metadata URL
Also copy these values and paste them in the Redox dashboard:
- Paste the Identity Provider Single Sign-on URL in the Sign-in URL field in the dashboard.
- Paste the Signing Certificate in the Signing Certificate field in the dashboard.

FHIR® is a registered trademark of Health Level Seven International (HL7) and is used with the permission of HL7. Use of this trademark does not constitute an endorsement of products/services by HL7®.