The OnePacs System
Page tree
Skip to end of metadata
Go to start of metadata

🔐 Single Sign-On (SSO) with SAML for OnePACS

OnePACS now supports Single Sign-On (SSO) via SAML 2.0, enabling seamless and secure authentication through your organization's identity provider (IdP), such as Okta, Azure Active Directory, or other SAML-compatible services.

Benefits of Using SSO

  • Use Your Existing Credentials: Log into OnePACS with your corporate username and password.

  • Enhanced Security: Centralized authentication via your IdP supports stronger access controls, including MFA policies.

  • Improved User Experience: No need to manage a separate OnePACS password, fewer credentials to remember and reset.

🧩 Supported Identity Providers

OnePACS SAML SSO is compatible with major IdPs, including:

  • Okta

  • Microsoft Azure AD

  • Google Workspace (SAML)

  • Ping Identity

  • Auth0

  • JumpCloud

  • Any SAML 2.0-compliant IdP

Important Note: The OnePACS SAML Integration does not currently support user provisioning; however, this feature is planned for a future release. 

✅ Preconditions for SAML SSO Integration

Before configuring SAML in OnePACS, you will need to configure the application in your SSO Provider based on the following information.

OnePACS’ SAML ACS URL: Each Identity Provider now has a unique ACS URL, generated when you create the IdP record in OnePACS. This ACS URL must be used for:

  • Single Sign-On URL
  • Recipient URL
  • Destination URL
  • Audience URL

 Entity ID: The Entity ID for OnePACS is the same as the ACS URL for that IdP. 

📝 OnePACS Setup Requirements

To configure SSO for your organization:

Log in to OnePACS using your OnePACS admin credentials.

Identity Provider Configuration

Go to Admin > Identity Providers

Click Add at the bottom left of the screen.

Configure your Identity Provider in OnePACS with the metadata or information provided by your IdP:

    • IdP Name: An easily identifiable name for use in OnePACS
    • IdP Managers: Add facility managers by clicking in the IdP managers box, or click the magnifying glass to select multiple facility managers.
    • SSO URL: Provided by the IdP 
    • Entity ID: Provided by the IdP 
    • ACS URL: This field displays only after saving. 
    • Certificate: Provided by the IdP 
    • Notification Email Address: Contact for IdP-related communications
    • SAML Signing Certificate: Eligible signing certificates for use with the IdP. 

OP_Admin_SAMLSSO_IDProviderWindow.png

Important Note: The ACS URL is only generated after you save your Identity Provider. If you need the ACS URL before entering the final details, you can save the Identity Provider with blank or temporary values and update it later.

Assigning Users to IdPs

Go to Admin > Users

Add or edit an existing user. Expand Identity Providers at the bottom left of the screen. Select the Identity Provider previously configured, along with the IdP NameID (must match the NameID Attribute returned in the SAML response).

  **The IdP NameID must match the value passed back from this NameID attribute and is case sensitive.

NOTE: Admins are responsible for creating Identity Providers (IdPs). They can either add users directly or delegate access by assigning privileges to facility managers, who can then add other facility managers, facility users, or assign existing users to IdPs for authentication.

NOTE: A user cannot change their password within OnePACS when configured to use SAML because that functionality is handled by the IdP. If you have trouble saving an IdP for a user, check to see if that user has the "Change password" permission and remove it, then try again.

NOTE: Most IdPs send back the NameID by default, but some may require it to be manually sent via IdP configuration.

Please reach out to our support team if you need assistance with setup.

🔐 Certificate for Signed Requests


To ensure secure SAML communication, OnePACS supports signed authentication requests. The X.509 certificate used to sign these requests is available directly within the Identity Provider configuration page.

The Identity Providers grid displays two certificates. OnePACS automatically labels certificates based on their expiration dates. The Current Cert  column displays the SAML signing certificate with expiration date that is farthest in the future. The Deprecated Cert column displays the certificate with the nearest expiration date. 

To copy the signed request certificate, navigate to Admin > Identity Providers. Hover over a certificate in the Current Cert or Deprecated Cert column to display the Copy button.

OP_Admin_SAMLSSO_CurrentDeprecated.png

Click the Copy button to capture the certificate. Enter the certificate into the appropriate section of the IdP to validate incoming signed requests from OnePACS.

Important Note: Users attempting to log into OnePACS while an administrator is updating the SAML signing certificate may be unable to authenticate their credentials until the update is complete.  Administrators are advised to work efficiently when updating certificates.

Rotate SAML Signing Certificates


Some radiology groups configure their Identity Provider (IdP) to use SAML signing certificates from OnePACS. OnePACS administrators for these radiology groups can rotate SAML certificates at will, with minimal disruption to user authentication and login.

When rotating SAML certificates to replace an old certificate with a new one, the old certificate needs to remain active for a period of time while IdP administrators update their systems with the new certificate. OnePACS administrators can control which SAML signing certificate each external IdP uses to sign SAML authentication requests. This enables certificate rotation with minimal disruption to user logins.

Important Note: Failure to rotate SAML signing certificates in a timely manner restricts all users from logging in. OnePACS refreshes SAML certificates 70 days prior to their expiration dates as a best practice. OnePACS administrators receive a cadence of reminder emails to ensure that they have completed rotation ahead of this deadline. 

To configure a SAML signing certificate for an external IdP, navigate to Admin > Identity Providers. Select an IdP and click the Edit button

OP_Admin_SAMLSSO_EditIDP.png

The Identity Provider window displays. Select the desired certificate from the SAML Signing Certificate drop-down and click Save.

OP_Admin_SAMLSSO_IDProviderConfig.jpg

Click Save. The Certificate Change Warning window displays. Click Yes to confirm the change.

OP_Admin_SAMLSSO_CertChangeConfirmation.png



🛠️ How It Works

Once SSO is configured for your account:

  1. Navigate to your OnePACS landing page (e.g., web.onepacs.com, my.onepacs.com).
  2. Use your organization’s unique sign-in URL for direct login through your IdP (optional). The URL will be your sub-domian.onepacs.com/saml2/authenticate/<number> (the number comes from the end of your ACS URL once it's generated).
  3. Authenticate using your corporate credentials.
  4. Upon successful login, you are automatically redirected back to OnePACS.
  • No labels