Selerix Developer Tools
SAML v2.0 Integration
Enrollment Integrations > Enrollment Integration Details > Developer Walkthroughs > Single Sign-On (SSO) > SAML v2.0 Integration

SAML is transmitted between BenSelect and your server via secure HTTP POST.  It may be used strictly for user authentication, or it may be used as an envelope for Selerix transmittal data.  Selerix supports SAML v1.1 when SAML is used only for authentication.  For security purposes, when applicant data is also included in the XML envelope, SAML v2.0 is required.  This section covers SAML v2.0 enrollment integrations.

The diagram below illustrates the essential options that are available when using SAML to interface with BenSelect.  Dotted lines indicate flow variations based on your specific implementation path:

 

The examples presented here assume you are using BenSelect only to capture enrollment data and not to manage post-enrollment data, which would require additional information in the outbound payload.  Check with your case builder to see if enrollment business rules dictate additional data be included in the transmission.

 

Getting started

Because your system is the SAML identification authority, and because you have registered a URL with Selerix that uniquely identifies you, we use Identity Provider-Initiated SSO for enrollment integrations.  This means that we skip the AuthnRequest step that is required by Service Provider-Initiated SSO, and instead begin with the Response message step.  Therefore, begin by sending BenSelect a SAML Response message XML to your unique BenSelect login URL.

Most of the time, the SAML message will also include a Selerix Data Transmittal stored as an XML attribute within the SAML message.  The transmittal is an independent XML structure used to communicate applicant and enrollment data between you and BenSelect.  You populate it with applicant data and send it to BenSelect to initiate an enrollment session, and BenSelect populates it with enrollment data and sends it to you when enrollment completes.  The only time a data transmittal may not required is when SAML is used to launch a BenSelect enrollment on a case with preloaded applicant data and even then it may be used in subsequent steps. 

If the SAML is recognized and the specified is found in the system, BenSelect immediately redirects to the enrollment site and begins the enrollment process.  If there is an issue with the SAML and BenSelect cannot verify the authenticity of the SAML message, the user remains at the login page.

 

After enrollment completes

BenSelect notifies your site when enrollment is complete by posting enrollment status to the URL you gave Selerix during the prerequisites phase.  If the enrollment completed successfully, the enrollment data will be included in the Transmittal attribute of the SAML v2.0 message in the form of a Selerix Data Transmittal.  At this point your application may continue enrollment process in your application.

 

Examples

Use this SAML v2.0 XML as a template to interface with BenSelect.  Populate the applicable information that appears in orange with your specific information and POST it to BenSelect to launch the integration.  The SAML v2.0 Elemental Breakdown adds annotations that describe the SAML XML elements and attributes.  Include only those sections that apply to your specific enrollment integration. 

 

See Also
SAML v2.0 Template (unencrypted)
SAML v2.0 Elemental Breakdown
SAML v2.0 Template (encrypted)
Building Encrypted SAML
Man-in-the-Middle Attacks
Minimal SAML for Pre-loaded Census

 

 

Copyright ©️ Selerix Systems Inc.

Click here to send feedback