Introduction
This article demonstrates how to set up HelloID and Lablecare for single sign-on using the SAML protocol. The configuration takes place in HelloID and requires you to send information to Lablecare.
If there are multiple environments, we advise to always connect to the production environment and set up the other environments as Shortcuts.
Requirements
- HelloID environment
- Lablecare environment
Create or import a certificate
If there is no certificate yet, a certificate must be imported or created. For this tutorial, we will use a self-signed certificate. Create one before proceeding and name it LablecareSelfSigned
.
Application setup
Add the Lablecare application
Go to Applications > Applications and select the Open application catalog button. Find the template for Lablecare (SAML) and select its Add button. Learn more about managing applications here.
General tab
On the General tab, replace the Default Login URL with your Lablecare environment URL. Optionally, you may also add a description.
Select the Next button.
Single Sign-on tab
On the Single Sign-On tab, perform the following steps:
- Issuer
Enter your HelloID domain in the formathttps://{customer}.helloid.com
. - Endpoint URL
Enter your Lablecare environment URL. - Validate and use ACS request URL
Turn this toggle on. - ACS validation list
Enter your Lablecare environment's AssertionConsumerService URL. This can be obtained from Lablecare or found in the Lablecare metadata file. This URL is case sensitive. - X509 Certificate
Select theLablecareSelfSigned
certificate that you previously imported or created. - Extra audience
Enter the Audience URI provided by Lablecare. In most cases this matches the URL entered for ACS validation list. This URL is case sensitive.
Select the Next button.
Self service tab
On the Self Service tab, choose whether to automatically create a Self Service product, which makes the application requestable. Select a group which will have access to the product. This is optional.
Select the Next button.
Finish tab
On the Finish tab, select the Save button to add the Lablecare application to HelloID.
Configure the mapping set
By default, the user's HelloID {{user.attributes.userPrincipalName}}
attribute is sent as the SAML NameID. If you wish to use another attribute, see Mapping - Overview.
Supplier-side configuration
The HelloID side of the configuration is now finished.
To connect, Lablecare needs to add the connection on their side. Contact Lablecare to request this. Note that they will need the Metadata URL:
- Go to Applications > Applications and select the Edit link for the newly-added Lablecare app.
- Right-click the Download metadata button and select Copy link address. It will resemble something like
https://enyoi.helloid.com/metadata/download?ApplicationGUID=e6e741f5-a469-4849-93f7-fe2e259a339f
.
Provide this value to Lablecare.
Finish up
The Lablecare application has been added to HelloID, and a trust has been configured between Lablecare and HelloID. You are now free to assign the application to users within your organization and begin testing it and using it. See Applications - Overview and its related articles for more information.