Configure Trading Partner/Member IdP

Before you start configuring your trading partner identity provider though the SAML or OIDC connection types, make sure that the following information is available:

• IdP Metadata: an XML file with your SAML identity provider metadata to fill in the configuration form automatically.
• Discovery Uri: The URL where an OpenID server publishes its metadata and which returns a JSON listing of the OpenID/OAuth endpoints, available scopes and claims, public keys used to sign the tokens, and other details.

Or if you do not have the file with metadata, you will need to enter the following details manually:

• IdP Information:
• SSO URL: The single sign-on endpoint of your trading partner identity provider to which a browser redirects a user to sign in.
• Logout URL: The remote logout URL where the identity provider will send logout requests and responses. Smart Trading Cloud will redirect users to this URL after they sign out.
• Entity ID: The URL of the identity provider's metadata document reflecting the organization that owns the identity provider. An entity ID is a unique name that distinguishes system entity in metadata, such as an identity provider (IdP) or an service provider (SP), from any other entity.
• Signature Verification Certificate: Your trading partner identity provider's X.509 public key certificate that Smart Trading Cloud must use to validate assertions' correctness.

1. Go to Smart Trading Cloud at https://auth.edifecsfedcloud.com and sign in as an account administrator.
   Watch the video tutorial on how to get started with Smart Trading Cloud.
2. Go to Connections ( on the left navigation bar).
3. Click Trading Partner / Member IdP.
4. On the Identity Provider (IdP) Configuration page, click + Add.
5. On the Create New IdP page, enter the line of business, such as Commercial, Medicare, or Medicaid.
6. Select SAML or OIDC connection type.

   For the SAML connection type, provide identity provider information either through:

   IdP Metadata: Click Upload Metadata to upload XML file with your trading partner SAML identity provider metadata.

   -Or-

   The following:

   1. In SSO URL, enter the single sign-on endpoint of your identity provider to which a browser redirects a user to sign in.
   2. Select to use HTTP-POST bindings if you want the SAML protocol messages to be transferred within the base64-encoded content of an HTML form control. By default, the HTTP Redirect binding is used.
   3. In Logout URL, enter the remote logout URL where the identity provider will send logout requests and responses. Smart Trading Cloud will redirect partner users to this URL after they sign out.
   4. Select HTTP-POST binding for logout if you want the SAML protocol messages to be transferred within the base64-encoded content of an HTML form control for logout.
   5. In Entity ID, enter the URL of the identity provider's metadata document reflecting the organization that owns the identity provider.
   6. In Signature Verification Certificate, enter the trading partner identity provider's X.509 public key certificate that Smart Trading Cloud must use to validate assertions' correctness.

   For the OIDC connection type, enter the URL of the discovery endpoint from which the clients will be reading the available scopes and claims, public keys used to sign the tokens, and other details.

7. Click Save.

You can find the information (SSO and logout URLs) on the configured trading partner identity provider on the left side of the page.

1. Go to Connections ( on the left navigation bar).
2. Click Trading Partner / Member IdP.
3. On the Identity Provider (IdP) Configuration page, click on the IdP you want to edit or delete.
4. To edit the IdP configuration, click . Edit the configuration and click Save.
5. To delete the IdP, click .

1. Go to Connections ( on the left navigation bar).
2. Click Trading Partner / Member IdP.
3. On the Identity Provider (IdP) Configuration page, click on the IdP you want to assign a service to.
4. On the right pane, under the identity provider name, click +Add Service.
5. In the Add a Service pane, in Service, from the drop-down list, select a service for which you configured integration of the trading partner identity provider (for example, Onboarding and Testing Cloud Service).
6. Provide Client ID and Scope(s).
7. Under Attributes, enter the attribute names that are associated with the authenticated user based on the service provider's requirements. The attributes may vary based on the selected service.
8. Click Save.

The information on the added Smart Trading Cloud service appears on the right side of the page, in the Assigned Services (CountOfServices) section, where you can find the following details:

• Callback URL: The URL to which the SAML Authentication Assertion is sent from the service provider.

• SAML2 General Settings:

• RelayState: The URL parameter that is used to coordinate messages and actions of the identity and service providers, for example, to allow the identity provider (through which single sign-on (SSO) was initiated) to indicate the URL of a desired resource when communicating with a service provider, in other words, to where send the response back.
• Attributes: The attribute names that are associated with the authenticated user based on the service provider's requirements.

You can download the saml-conf.xml file with the service provider metadata to use for your trading partners identity provider. Based on the trading partners identity provider, you can also use SAML2 general settings (RelayState and attributes).You can download the saml-conf.xml file with the service provider metadata to use for your trading partners identity provider. Based on the trading partners identity provider, you can also use SAML2 general settings (RelayState and attributes).

• Go to Connections ( on the left navigation bar).
• Click Trading Partner / Member IdP.
• On the Identity Provider (IdP) Configuration page, click on the IdP whose metadata you want to download.
• On the right pane, under the Assigned Services (CountOfServices) section, next to SAML2 General Settings, click Smart Trading Cloud SAML SP Metadata.

To configure your trading partners identity provider, go to your trading partners identity provider settings and add a Smart Trading Cloud service, for example, Onboarding and Testing Cloud Service as a service provider using the metadata (the saml-conf.xml file) (consult your identity provider documentation on how to set up a new trusted application). You can also use SAML2 General Settings.

The following workflow occurs when single sign-on is enabled.

1. Your partner user goes to an identity provider selection screen with identity providers using the link you provided.
2. The partner user selects a required identity provider through which they will sign in to a Smart Trading Cloud service.
3. The identity provider prompts the partner user for their credentials.
4. If the partner user enters valid credentials, they get authenticated through your trading partners identity provider.
5. The partner user is redirected to a Smart Trading Cloud service and is logged in.

For this case, in your trading partner's identity provider, IDP-Initiated SSO URL name should be set up.

1. Your partner user goes to an IDP-Initiated SSO URL. The partner user is redirected to the Identity Provider’s sign-in screen.
2. The identity provider prompts the partner user for their username and password.
3. If the partner user enters valid credentials, they get authenticated through your partners identity provider.
4. The partner user is redirected to a Smart Trading Cloud service and is logged in.