Single Sign-On (or SSO) allows users to use their institution’s user name and password to access the Actionable Findings application, eliminating the need for multiple user names and passwords.
Institutions that use SSO manage their own user account information: user name and password storage, their password requirements, and user authentication. The Actionable Findings application manages authorization, permissions, devices, and profile settings.
When adding or editing an institution, and you select the Enable SSO check box for an institution, several of the existing preferences are grayed out and unavailable. (See the items highlighted in yellow in the illustration below.)
With the Enable SSO check box selected, two additional SSO fields are required:
SSO Unique Name: A unique URL for each institution. This URL is provided by Nuance and takes the form https://NuanceActionableFindings.com/SSO.aspx?Partner=<partner name>. When the customer clicks the URL, it redirects them to their IDP/AD/LDAP system to validate the user and allow them to log in. (Note that customers are not required to use this URL; they can also log in at the Actionable Findings login window where the system will recognize their email username as an SSO account and allow them to log in.)
SSO Organization ID: A unique organization ID that must match the Central Auth ID for the institution. In addition, if the customer also has mPower (or in the future, other Nuance Healthcare products), make sure that this ID is the same across all products. (Central Auth: An NMS shared platform that all Nuance Healthcare products will use. Receives and validates the user's IDP/AD/LDAP login request, allowing valid users to access the applications.)
Accounts can be created using Physician Directory Sync (PDS), upload, or created manually.
Username is the primary identifier; it must be the user's email address. Email address becomes an attribute.
Username field can be updated by an administrator, PDS, and upload.
No provisioning emails will be sent on SSO account creation.
No Manage Account Provisioning menu option in the Actionable Findings Web tool.
SSO-enabled institutions will not appear in the Institution list when provisioning in CS Tools.
PDS: Automatically creates user accounts (updates account to the user's SSO email address).
SSO: Removes provisioning workflow, and only allows authenticated users into the system by way of their windows credentials.
Mobile Clinician: Allows OCs to log into the mobile device without needing to create a username or password.
Benefit: Automates account creation, removes provisioning necessity, provides user device management.
Customers with Active Directory Federation Server (AD FS) will log in at their existing AD login screen.
Customers without AD FS can install a connector that allows them to proxy into Central Auth and access the application.
SSO users still have the option to go to the original Actionable Findings login page and enter their email address (password not needed for authentication). Once that email address is authenticated the user will be logged into the application.
(Nuance users: The CS Tools application will be linked to your Nuance SSO (AD FS).)
SSO users will not see the Change Password option in their Tools menu item.
Customers with SSO will notice changes to their User Profile window (Tools > Edit Profile). Several items will be grayed out to prevent accidental changes. These items are now controlled by the customer's IDP/AD/LDAP system. The items are First Name, Last Name, Username, and Email.
-- SSO cannot be used on Desktop applications (if customer uses Desktop, SSO will not be an option).
-- SSO Organization ID is a Central Auth ID and must match across all healthcare products a customer has with SSO.
-- OCs outside the customer's domain will not be able to use mobile app/AF web or be provisioned. They can only be profiled for devices.
-- Back-end changes: No account notifications will be sent out (welcome email or password reset/forgot/expire email).