SAML is transmitted between BenSelect and your server via secure HTTP POST.  It may be used strictly for user authentication, or it may be used as an envelope for Selerix transmittal data.  Selerix supports SAML v1.1 when SAML is used only for authentication.  For security purposes, when applicant data is also included in the XML envelope, SAML v2.0 is required.

The diagram below illustrates the essential options that are available when using SAML to interface with BenSelect.  Dotted lines indicate flow variations based on your specific implementation path:

The examples presented in this section assume you are using BenSelect only to capture enrollment data and not to manage post-enrollment data, which would require additional information in the outbound payload.  Check with your case builder to see if enrollment business rules dictate additional data be included in the transmission.

 

Getting started

Because your system is the SAML identification authority, and because you have registered a URL with Selerix that uniquely identifies you, we use Identity Provider-Initiated SSO for enrollment integrations.  This means that we skip the AuthnRequest step that is required by Service Provider-Initiated SSO, and instead begin with the Response message step.  Therefore, begin by sending BenSelect a SAML Response message XML to your unique BenSelect login URL.

Most of the time, the SAML message will also include a Selerix Data Transmittal stored as an XML attribute within the SAML message.  The transmittal is an independent XML structure used to communicate applicant and enrollment data between you and BenSelect.  You populate it with applicant data and send it to BenSelect to initiate an enrollment session, and BenSelect populates it with enrollment data and sends it to you when enrollment completes.  The only time a data transmittal may not required is when SAML is used to launch a BenSelect enrollment on a case with preloaded applicant data and even then it may be used in subsequent steps. 

If the SAML is recognized and the specified applicant is found in the system, BenSelect immediately redirects to the enrollment site and begins the enrollment process.  If there is an issue with the SAML and BenSelect cannot verify the authenticity of the SAML message, the user remains at the login page.\

 

After enrollment completes

BenSelect notifies your site when enrollment is complete by posting status to the URL you gave Selerix during the prerequisites phase, at which time your application may continue the enrollment process in your application.  Because it does not support data encryption, for security purposes, BenSelect does not deliver enrollment data back to your site in real time when SAML v1.1 is used.  Instead, you obtain the enrollment data using a Web Services (SOAP) query, or your company obtains the BenSelect enrollment data using Selerix reporting, which ensures enrollee data security.

 

Examples

Use the XML in this section as a template to interface with BenSelect using SAML v1.1.  Populate the applicable information that appears in orange with your specific information and POST it to BenSelect to launch the integration.  The Elemental Breakdown has annotations that describe the purpose of key SAML XML elements and attributes.  Include only those elements and attributes that apply to your specific enrollment integration.