Skip to main content

HelloID

Gerimedica Ysis SAML application setup
Introduction

This article demonstrates how to set up Ysis for single sign-on. The configuration takes place in HelloID and requires you to send information to Gerimedica.

Requirements

  • HelloID environment

  • Ysis environment

  • Ysis SAML metadata (received after requesting single-sign-on from Gerimedica)

Create or import a signing certificate

If there is no signing certificate yet, you must create or import one. For this tutorial, we will create a self-signed certificate. Name it YsisSelfSigned.

Import the encryption certificate

In addition to creating or importing the above signing certificate, you must import the Ysis encryption certificate.

  1. After you have received the Ysis SAML metadata file from Gerimedica, open it in a text editor.

  2. Find the following line: <md:KeyDescriptor use="encryption"><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data><ds:X509Certificate>

  3. Copy the text between the <ds:X509Certificate></ds:X509Certificate> tags. Paste it into a new file.

  4. Add -----BEGIN CERTIFICATE----- to the first line, and -----END CERTIFICATE----- to the last line.

For example:

mceclip3.png

Save the file and import it into HelloID. Name the certificate YsisImported.

Application Setup
Add the Ysis Application

  1. Add a new application.

  2. Find the template for Gerimedica Ysis (SAML).

  3. Select its Add button.

mceclip0.png
General tab

Change the following settings:

  • Default Login URL

    Replace {customer} with your Ysis username.

mceclip1.png

Select the Next button.

Single Sign-On tab

Change the following settings:

  • Endpoint/ACS URL

    Replace {customer} with your Ysis username.

  • X509 Certificate

    Select the signing certificate that you previously imported or created.

  • Extra Audience(s)Replace {customer} with your Ysis username.

  • X509 Encryption Certificate

    Select the encryption certificate that you previously imported.

mceclip4.png

Select the Next button.

Self Service tab

Optionally, generate a Self Service product, which makes the application requestable. Select a group which will have access to the product.

Select the Next button.

Finish tab

Select the Save button to add the Ysis application to HelloID.

Additional configuration
Mapping

By default, the user's HelloID {{user.contactEmail}} attribute is sent as the SAML NameID. If you wish to use another attribute, see Mapping - Overview. You must communicate this change to Gerimedica.

Create a shortcut

Gerimedica Ysis doesn't support SP-initiated flows. Therefore, if you want your users to be able to launch it from the HelloID dashboard, you must create a shortcut to it.

Supplier-side configuration

The HelloID side of the configuration is now finished.

To connect, Gerimedica needs to add the connection on their side. Contact Gerimedica to request this.

Send them the following information:

  • Metadata URL

  • Login URL

  • Logout URL

Metadata URL

  1. Go to the Applications overview.

  2. Select the Edit link for the newly-added Ysis application.

  3. Right-click the Download metadata button

  4. Select Copy link address. It will resemble: https://enyoi.helloid.com/metadata/download?ApplicationGUID=e6e741f5-a469-4849-93f7-fe2e259a339f.

    mceclip0__1_.png
Login URL

The login URL can be found in the metadata file. It resembles: https://{customer}.helloid.com/relayservice/redirect/896f41ed-6d3a-4ef3-bc4c-a64c5b1847e9

Logout URL

The logout URL of your HelloID environment, in the format: https://{customer}.helloid.com/authentication/signoff

Replacing an encryption certificate

When the encryption certificate is about to expire, Gerimedica will provida a new metadata file with the new encryption certificate included.

Please follow the steps above in the "Import the encryption certificate" section and save the new certificate with a new name. Do not remove the old certificate before the configuration has been changed.

Before making the new encryption certificate active please contact Gerimedica to make an appointment for the replacement of the certificate. If you replace the certificate directly the Single-Sign-On will stop working.

You can replace the certificate by following the next steps:

  1. In the HelloID administrator dashboard browse to applications

  2. Next find the Gerimedica Ysis application in your application list and click edit

    mceclip1.png

  3. Open the configuration tab and select the newly created encryption certificate in the dropdown next to the X509 Encryption certificate option.

    mceclip3.png

  4. Do not change the selected certificate at the X509 certificate option below the endpoint option. This is the signing certificate and therefore not being used to encrypt the message.

  5. Press save to finish the replacement of the encryption certificate.

In this section: