SSO using SAML 2.0

Overview

mscripts integrates with an organization’s Identity Management infrastructure to provide users seamless access across the enterprise. In order to implement the mscripts’ Single Sign-On (SSO) solution, an Identity Management platform is needed to host the organization’s user information. That platform may be hosted and managed internally by the pharmacy, or by a third-party solution.

Account management related operations like registration, login, profile management, forgot password, and log out are administered at the client (customer admin) side.

 

How it works

Web Portal - Enrollment / Login
Mobile - Enrollment / Login
Logout and Password Flows
App-in-App

Web Portal - Enrollment

  1. The patient creates an account in mscripts pharmacy application in one of the following ways
    • Register a new account on the client portal page and choose a widget (eg menu option, button) to access mscripts. The Identity Provider (IDP) is updated with patient profile and then IDP initiates the SAML form post to mscripts.
    • An alternative route is that patient first goes to mscripts login/home page and selects the sign-in button.  In this case they are redirected to a client portal page along with a Relay State value which is sent back to mscripts in the SAML assertion form post. 
  2. If all required data is provided in the SAML assertion form, including unique Email, Mobile #, First Name, Last, DOB and Rx#, the patient account is created. If any of the required data is missing then a 'step-up' page is displayed for data entry.  mscripts requires a combination of First Name, Last Name, Date of Birth and Prescription # to lookup and uniquely identify the patient in the dispensing system.
  3. Once patient is successfully identified the mscripts prescriptions landing page is displayed. 

 

Standard flow for a new patient account creation

 

img

Web Portal - Login

  1. The patient logs into an account in mscripts pharmacy application in one of the following ways
    • Logs into the client portal page and choose a widget (eg menu option, button) to access mscripts. The Identity Provider (IDP) is updated with patient profile and then IDP initiates the SAML form post to mscripts.
    • An alternative route is that patient first goes to mscripts login/home page and selects the sign-in button.  In this case they are redirected to a client portal page along with a Relay State value which is sent back to mscripts in the SAML assertion form post. 
  2. The patient SSO identifier is looked up in mscripts, if patient is successfully identified the mscripts prescriptions landing page is displayed.

 

Standard flow for patient login

 

img

Mobile - Enrollment

  1. The patient downloads the mscripts app from the stores (Itunes for IOS or Google Play for Android).
  2. The patient then opens the mscripts app and is presented with IDP account creation page inside of a webview. After creating account the IDP initiates the SAML form post to mscripts.
  3. If all the required data is provided in the SAML assertion form, including unique Email, Mobile #, First Name, Last, DOB and Rx#, the patient account is created.  If any of the required data is missing then a 'step-up' page is displayed for data entry. mscripts requires a combination of First Name, Last Name, Date of Birth and Prescription # to lookup and uniquely identify the patient in the dispensing system.
  4. Once patient is successfully identified mscripts redirects to the landing page.

Standard flow for new patient account creation with mscripts standalone app

img

Mobile - Login

 

  1. The patient open the mscripts pharmacy app and is presented with IDP account login page inside of a webview. After creating account the IDP initiates the SAML form post to mscripts.
  2. An API call is made to the Identity Provider (IDP) for patient verification using SSO identifier and a lookup is made to dispensing system for a match. If patient is successfully identified the mscripts prescriptions landing page is displayed.

 

Standard flow for patient login on mscripts standalone app

img

Logout Flow

Logout is implemented by clearing cache/session.  mscripts redirects to a logout URL provided by the client upon which the session on the clients side is cleared

 

Password Change and Recovery

Password is administered on client side.  

 

Biometrics 

Biometric with SSO is not supported

 

App-in-App

Mscripts embeddable pharmacy application (or App in App) is a new product offering wherein we offer the clients an option to embed our web-based pharmacy application within their parent application.

In addition to the normal web pharmacy functionalities, additional integration points are provided such as device location settings, use device camera to refill by scan or to transfer using photos, use parent app’s store locator and use device tokens to enable push notifications.

The mobile flows enrollment and login flows are primarily affected as patient will enter mscripts via the parent client app and as such we will not publish any mobile apps to Apple or Google stores. 

 

Configurations

To allow mscripts to obtain all the information we would need to configure the system correctly, please provide the details requested below:

  1. Download the SSO Questionnaire by clicking the button below and fill in your responses. We request you to provide as much detail as possible.
Download Questionnaire
  1. Download the configuration spreadsheet by clicking the button below and fill in the information requested.
Download Spreadsheet
Once you have filled in the aforementioned documents, please send over the files to your implementation manager using mscripts Asana project portal requirements tasks
 

System requirements

  • Email requirements
    • Email address must be unique
    • Email address changes in mscripts account page disabled
    • Email address changes (sent in the SAML Assertion form) will update in mscripts and trigger a verification email to the patient
  • Mobile # requirements
    • Mobile # changes in mscripts accounts page disabled
    • Mobile # changes (sent in the SAML Assertion form) will update in mscripts and patient will be asked to verify mobile number upon next login
  • Family Account relationships are not automatically synchronized between the mscripts and client systems
  • The user must accept the mscripts Terms of Service by responding with a Y on text account confirmation welcome message
  • Biometrics with SSO not supported.  This functionality can be provided by client native app
  • Client will provide a logout URL that mscripts will call for clearing cache/session
  • Password change and recovery is managed on client side
 

Module availability

PDX ClassicPDX EPSPDX EOPNMcKesson Non-PCSMcKesson PCSQS1
AvailableAvailableAvailableAvailableAvailableNA

Platforms

Text messaging NA
Mobile app Available
Web Pharmacy Available

Communication methods

Text messaging NA
Email NA
Push notifications NA

© Copyright mscripts, LLC 2023.