Skip navigation
MedicinesComplete
Home Print Help PreferencesLog in
Printed from: MedicinesComplete, 2008 ed. London: Pharmaceutical Press. Electronic version, 2008.
Welcome
New visitors
Registered users

Single sign-on

Overview

MedicinesComplete Single Sign On (SSO) is intended to allow organisations to provide transparent access to MedicinesComplete content for their users. It allows users within an organisation to use their existing organisational accounts to access MedicinesComplete. It can be used when none of the following methods of authentication are suitable:

  • Authentication by client IP Address
  • Authentication using a separate username and password for each user
  • Authentication via Athens or via your home organisation (using Shibboleth)

Organisations wishing to use SSO must implement custom server side functionality that authenticates the user to MedicinesComplete.

Benefits of using SSO

  • Fixed IP addresses are not required.
  • Users can use their existing organisational accounts, and do not need MedicinesComplete specific login accounts.
  • User account administration remains under control of the organisation.
  • Individual users can still be identified (which is not possible when using client IP address based authentication). This allows improved usage reporting and finer grained accessed control.

How MedicinesComplete SSO works

  • A shared key will be supplied to the organisation when the account is first set up.
  • The user follows a link to MedicinesComplete, typically on an Intranet page.
  • This link is not directly to MedicinesComplete, but rather to a web application hosted on the organisation's server. This web application creates an encrypted token using a shared key, and then redirects the user to MedicinesComplete, passing the token as a URL query string parameter.
  • The MedicinesComplete web application decrypts the token, and sends a cookie to the user which allows the user uninterrupted access.
  • The encrypted token is encrypted using Blowfish and the shared key. The token contains a timestamp (allowing token expiry) and a unique identifier for the user.
  • After a period of inactivity, the user's cookie will expire. To re-authenticate the user, the MedicinesComplete web application redirects the user back to the organisation's SSO application. The application will re-check the user's credentials, and then redirect back to MedicinesComplete (this will generally be transparent to the user).

Implementation requirements

  • The organisation must have an existing method for authenticating users.
  • To use SSO, the organisation must implement a web application that has access to the user's login credentials (for example, via NTLM, sharing an intranet website login, or via internal intranet client IP address).
  • The organisation may use one of the CBCL reference implementations as a basis for their implementation. Reference implementations are currently available for ASP.NET and Java Servlet containers.
  • This web application must be accessible from a fixed URL (used to re-authenticate the user after cookie timeout on MedicinesComplete). Note: It is not required that this web application be available outside the SSO user's intranet.
  • The organisation must pass a unique identifier for the user to the MedicinesComplete server within the token. This allows improved user tracking, and finer-grained access control. Note: This identifier must NOT be a session identifier, i.e. the same user must use the same identifier each time the user logs in via SSO.

Full technical specification

Please contact support@cbcl.co.uk for further details.