Set up SSO login to the Redox dashboard

Last updated: Oct 20, 2025

DEVELOPER

IMPLEMENTATION

HEALTH TECH VENDOR

We offer single sign-on (SSO) to the Redox dashboard using your own third-party identity provider (IdP). Redox serves as the service provider (SP) in your SSO flow.

SSO helps you control user access policies with a central resource for your organization.

Prerequisites

Your IdP must support a SAML protocol.
You must support a service provider (SP)-initiated login (i.e., login initiated from the Redox dashboard, not your IdP).
You must be assigned to an organization owner role in Redox to configure SSO. Learn about user roles.
SSO is an advanced feature and must be enabled in your Redox organization. Talk to your Technical Account Manager if it’s not enabled.
SSO is only for single Redox organization users. If your organization has users that are part of multiple Redox organizations, they must remove themselves or transfer access to a different Redox account before using SSO.
(Recommended) Test the SSO configuration with your IdP before enabling SSO in the Redox dashboard. For example, check if users can log in to the IdP as expected. This confirms that your system works with the IdP before adding Redox into the mix.
Test before enabling SSO
If you don’t test before enabling SSO, you risk getting locked out of your Redox organization.

Step 1: Configure SSO in the Redox dashboard

If you’re an organization owner, follow these steps to enable SSO.

Log in to the Redox dashboard.
In the bottom-left navigation menu, click your username to open the user menu.
From the user menu, select the Organization Profile option.
Organization Profile option of the user menu
By default, the Organization Info page displays. Click the Settings tab.
The SSO information displays. First, we provide the Redox authorization server values. Use the Connection name value and Audience restriction value in your IdP configuration.
Redox authorization server values
Next, the Identity provider configuration contains details about your IdP. Specific configuration details vary between IdPs, but the basic process is the same. Fill in the relevant fields:
- Name: Enter a human-readable name to represent your IdP.
- Domain name: This field automatically populates with the company domain and isn’t editable. The domain is where your organization’s users have an email account.
- Configuration mode: Select either the URL Import or Manual option.
  - URL import: Enter the public URL for your SAML metadata XML document. Redox pulls the entity ID and keys to validate the response from the IdP.
    IdP configuration - Import option
  - Manual: Provide the entity ID and keys yourself.
    - Signing certificate: Enter the public key that your IdP uses to sign requests. This should be an X.509 certificate encoded in PEM or CER format. Review the instructions for locating and downloading the certificate for your relevant IdP in the Step 2 section.
    - Sign-in URL: Enter the redirect URL for your users to log in to the IdP.
      IdP configuration - Manual option
Confirm the Attribute mapping. These fields populate automatically, but you should confirm them or adjust as needed.
IdP configuration - Attribute mapping
- User full name: The name of the SAML attribute that your IdP uses for a user’s full name.
- User email: The name of the SAML attribute that your IdP uses for a user’s email address.
Click the Save button.
When successfully saved, the Enabled for Organization toggle appears and is set to ON. To disable SSO later, toggle this option to OFF.
SSO enabled for your organization
Next, configure the SAML protocol. We provide instructions for some common IdPs in the Step 2 section.

Step 2: Configure SAML protocol in your IdP

We provide instructions to configure the SAML protocol for common IdPs.

Only SP-initiated logins

Remember that Redox only supports SSO via SP-initiated login, i.e., logging in from the Redox dashboard.

When a user tries to log in to the Redox dashboard, we redirect them to your IdP for authentication. After successful authentication, the user is directed back to the Redox dashboard.

We don’t support IdP-initiated login.

Where to find the Connection URL

You can find the Connection URL in the Redox dashboard. The value is specific to your Redox organization’s IdP configuration.

For Okta

Create a new app

Log in to your Okta admin dashboard.
Click the Applications tab, then the Integration network option.
On the Integration network page, click the Create a New App button.
The Create a new app integration page opens. Select the SAML 2.0 option, then click the Next button.
Okta: Create a new app integration page

General Settings

The General Settings opens.

Enter an App name for your SAML protocol, then click the Next button.
Okta: App general settings

SAML Settings

The SAML Settings opens.

Enter the following values:
1. Single sign on URL: The Redox auth URL (https://auth-v2.redoxengine.com/login/callback?connection=<CONNECTION_NAME>)
2. Audience URI: The intended audience of the SAML assertion (urn:auth0:redoxprod:<CONNECTION_NAME>). Copy and paste the Audience restriction value from the Redox dashboard (see step #5 in the Step 1 section).
  Okta: App SAML settings
Scroll down to the Attribute Statements settings and add the following statements.
1. Add a statement for the email address attribute:
  - Name: The attribute name (http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress)
  - Name format: The specified format for the name (Unspecified)
  - Value: The name value (user.email)
2. Add a statement for the name attribute:
  - Name: The attribute name (http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name)
  - Name format: The specified format for the name (Unspecified)
  - Value: The name value (user.firstName+" "+user.lastName)
    Okta: SAML settings - Attribute statements
Once the SAML settings are populated, click the Next button.

Create an internal app

On the next page, select the I'm an Okta customer adding an internal app option.
Another set of options appears. Select the This is an internal app that we have created option, then click the Next button.
On the next page, click the Sign On tab.

Sign On option: URL import option in the Redox dashboard

If you chose Configuration mode - URL Import option in the Redox dashboard (step #6 in Step 1 section), complete the following steps in both Okta and the Redox dashboard.

In Okta:

In the SAML Signing Certificates section, your active signing certificate appears. Click the Actions drop-down menu, then click the View IDP metadata option.
Okta: View IdP metadata for URL import option
In the new tab, copy the metadata URL.

In the Redox dashboard, under the Organization Profile > Settings > Identity Provider Configuration section:

Paste the Okta metadata URL into the SAML metadata URL field.
Redox: IdP configuration - URL import option
Scroll down and click the Save button.

Sign On option: Manual option in the Redox dashboard

If you chose Configuration mode - Manual option in the Redox dashboard (step #6 in Step 1 section), complete these steps:

In Okta:

In the SAML Signing Certificates section, your active signing certificate appears. Click the Actions drop-down menu, then click the Download certificate option.
Okta: Download signing certificate to populate the Redox public key
Click the Actions drop-down menu, then click the View IdP metadata option.
A new tab opens. Copy the Identity Provider Single Sign-on URL to paste in the Redox dashboard.

In the Redox dashboard, under the Organization Profile > Settings > Identity Provider Configuration section:

Copy and paste the downloaded SAML Signing Certificate value as the public key in the Signing certificate field.
Paste the Identity Provider Single Sign-on URL in the Sign-in URL field.
Redox: IdP configuration - Manual option
Scroll down and click the Save button.

After completing all these sections, go back to the Okta admin dashboard to start assigning users to the Redox application.

For Microsoft Azure Active Directory

Log in to your Azure portal.
Navigate to the Azure Active Directory page.
The directory’s Overview page opens. On the navigation menu, click the Enterprise applications page.
All of your applications display on the page. Click the New application button.
The Browse Azure AD Gallery page opens. Click the Create your own application button.
A modal opens for your new application. Enter a human-readable name for the Redox dashboard application.
Then, select the Integrate any other application you don’t find in the gallery (Non-gallery) option.
Click the Create button.
Create your own Azure application
The enterprise application Overview page opens. Click the Set up single sign on option.
The Single sign on page opens. Click the SAML option.
The SAML-based Sign-on settings opens. For the Basic SAML Configuration option, click the Edit button.
Edit the SAML settings
The Basic SAML Configuration modal opens. Enter the SAML settings:
- Click the Add identifier link and replace the default identifier ID (entity ID) with the new identifier: urn:auth0:redoxprod:<CONNECTION_NAME>.
- Click the Add reply URL link and enter the Redox auth URL: https://auth-v2.redoxengine.com/login/callback?connection=<CONNECTION_NAME>.
- After both values are entered, click the Save button at the top.
  SAML settings
The modal closes. Back on the SAML-based Sign-on settings, click the Edit button for the Attributes & Claims option.
Edit the Attributes & Claims
The Redox dashboard currently requires claims for the user’s name and email address. Use the default SAML claims configured in the Azure active directory application, or modify them to meet your organization’s needs. The defaults are the following:
- Email: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress.
- Name: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name.
Back on the SAML-based Sign-on settings, locate the App Federation Metadata URL under the SAML Signing Certificate option.
If you chose Configuration mode - URL Import option in the Redox dashboard (step #6 in Step 1 section), copy the metadata URL and paste it into the SAML metadata URL field (under Redox Organization Profile > Settings > Identity Provider Configuration section).
Microsoft Azure: Copy the metadata URL
If you chose Configuration mode - Manual option in the Redox dashboard (step #6 in Step 1 section), complete these steps:
1. Copy and paste the Microsoft Azure Sign On URL value in the Sign-in URL field (under Redox Organization Profile > Settings > Identity Provider Configuration section).
2. Download the Microsoft Azure Certificate (Raw) and paste the value in the Signing Certificate field (under Redox Organization Profile > Settings > Identity Provider Configuration section).

Step 3: Log in to the Redox dashboard

Once SSO is successfully enabled in both the Redox dashboard and your IdP, all users must log in with SSO. Any previous Redox credentials will no longer work.

Navigate to the Redox dashboard.
Enter your email address in the login page.
You’re redirected to your IdP for authentication.
1. If successful, you’re redirected back to the Redox dashboard as a logged-in user.
2. If unsuccessful, refer to our troubleshooting tips.

How users are handled in your IdP

Any new user who successfully authenticates with your IdP is added to your Redox organization. User access can be revoked by your IdP at any time.

Existing users of your organization may not join another Redox organization.

FHIR® is a registered trademark of Health Level Seven International (HL7) and is used with the permission of HL7. Use of this trademark does not constitute an endorsement of products/services by HL7®.