Single Sign-on External (SSOe)
Last Updated:
Overview
Single Sign-on External (SSOe) is an enterprise authentication solution for external users (Veterans, caregivers, etc.) to access VA.gov applications from outside the VA network.
SSOe provides federated single sign-on through integrated Credential Service Providers (CSPs), including Login.gov, ID.me, My HealtheVet, and DS Logon. VA.gov applications leveraging the SSOe service use the SAML integration pattern.
SSOe is operated by the VA Identity and Access Management (IAM) team, which is the same team that operates the Master Person Index (MPI). SSOe and MPI are independent systems that do interact with each other.
Monitoring
The following dashboards are available to monitor SSOe performance:
Banners
If an SSOe maintenance window is defined, a maintenance banner will be displayed on the VA.gov sign-in modal. For unplanned downtime, a downtime notification will be displayed on the VA.gov sign-in modal.
Impact
When SSOe is unavailable, the Identity Platform team will enable Sign-in Service (SiS) for all authentication attempts. Details of this policy are documented on GitHub.
When MPI is unavailable, users can sign in and SSOe will provide a "CSP-only" payload to VA.gov with identity traits from the relevant CSP. During this time, users will only have access to minimal logged-in functionality.
Environments
VA.gov environment | SSOe environment | SSOe URL | SSOe metadata URL |
|---|---|---|---|
localhost (developers) | INT | ||
dev | INT | ||
staging | SQA | ||
prod | prod |
Integration endpoints
VA.gov is integrated with SSOe via SAML. In SAML all requests are mediated through the users' browser via redirects and hidden form POST requests. So at no point is there a direct network request from VA.gov to SSOe or vice versa. The endpoints to which requests are sent and at which responses are received are described below in the required configuration section.
VA.gov frontend code also uses a "keepalive" endpoint provided by SSOe. This endpoint is accessed via a browser fetch and accomplishes 2 things:
Allows frontend code to detect if an SSOe session is present.
If present, it extends the duration of the SSOe session to keep session expiry in sync between VA.gov and SSOe.
Required configuration
VA.gov fills the role of a SAML "Service Provider" (SP), or application. It initiates SAML requests and receives responses after authentication completes.
The required SAML SP configuration is contained in vets-api settings.yml:
saml_ssoe:
idp_metadata_file: "/srv/vets-api/src/config/ssoe_idp_sqa_metadata_isam.xml"
cert_path: "/srv/vets-api/secret/vagov-ssoe-saml-staging-cert.pem"
key_path: "/srv/vets-api/secret/vagov-ssoe-saml-staging-key.pem"
callback_url: "https://staging-api.va.gov/v1/sessions/callback"
issuer: "https://ssoe-sp-staging.va.gov"
logout_url: "https://sqa.eauth.va.gov/pkmslogout?filename=vagov-logout.html"idp_metadata_file: Path to SSOe's IDP metadata configuration. We configure this statically rather than fetching it from the above metadata URLs dynamically. IAM announces metadata updates on their distribution list.
cert_path / key_path: Pointers to a signing/encryption keypair used to sign and encrypt/decrypt SAML requests and responses.
callback_url: The URL to which SSOe will send SAML responses.
issuer: The identifier for the VA.gov application, shows up as "entityID" in SAML requests.
logout_url: URL to which federated logout requests should be sent. Note this is a non-SAML logout mechanism.
Contacts
On the VA.gov side, the SSOe integration is owned by the Identity Platform team. For assistance, reach out via the #identity-support Slack channel.
IAM team
Role | Name | |
|---|---|---|
Senior Architect | Damien DeAntonio | |
Architect | Perry Vessels | |
IAM Project Manager | Jerry Wharton | |
IAM Dev Project Manager | Jeff Kindschuh |
Production support
IAM has a 24x7 on-call rotation for production SSOe issues.
If VA.gov teams notice issues on production servers and need IAM support, submit a ticket via ServiceNow.
It’s not recommended to use email for production support.
Non-production support
For non-production issues, use JIRA service desk to request support from the IAM team. Email is also a viable path for inquiries about non-production environments.
Help and feedback
Get help from the Platform Support Team in Slack.
Submit a feature idea to the Platform.