-
Notifications
You must be signed in to change notification settings - Fork 202
Unified Sign in Page
The Unified Sign in Page is a page on [VA.gov](http://VA.gov) that is an extendable sign in experience for applications are outside the scope of VA.gov but have partnerships. This essentially allows other applications like My HealtheVet to redirect to VA.gov and use our website to authenticate and redirect to their page in an authenticated state.
There are currently 5 external applications (with a default application if not specified) on the Unified Sign in Page. Each application has specific requirements and configurations to ensure users can sign into the respective sites.
- My HealtheVet (MHV)
- My VA Health (Cerner)
- eBenefits
- VA OCC Mobile
- VA Flagship Mobile
- Default (Web)
Adding a new application requires that the requestor fill out a short questionnaire to help generate a configuration for the application in a relatively easy manner. There are choices between OAuth and SAML that each have advantages and disadvantages outlined in the OAuth vs SAML page
- Name of the application
- What endpoints should redirect to the service?
- Environment endpoints
- Query parameter requirements
- Are the endpoints/query parameter dynamic?
- Which Auth Broker do you require (SAML or OAuth)?
- Level of Assurance requirements (LOA1, LOA3, IAL1, IAL2)
- Service Providers allowed for Sign up (ID.me or Login.gov)?
- Service Providers allowed for Login (ID.me, Login.gov, DS Logon, MHV)?
- Web-based or mobile-based?
// sample for SAML
[EXTERNAL_APPS.NAME_OF_APPLICATION]: {
allowedSignInProviders: {
logingov: true,
idme: true,
dslogon: true,
mhv: true
},
allowedSignUpProviders: {
logingov: true,
idme: true,
},
queryParams: {
allowPostLogin: true,
allowOAuth: false
},
isMobile: false,
OAuthAllowed: false,
requiresVerification: false,
externalRedirectUrl: EXTERNAL_REDIRECTS[EXTERNAL_APPS.NAME_OF_APP]
}
// sample for OAuth
[EXTERNAL_APPS.NAME_OF_APPLICATION]: {
allowedSignInProviders: {
logingov: true,
idme: true,
dslogon: true,
mhv: true
},
allowedSignUpProviders: {
logingov: true,
idme: true,
},
queryParams: {
allowPostLogin: true,
allowOAuth: true
},
isMobile: false,
OAuthAllowed: true, // enables OAuth
requiresVerification: false,
externalRedirectUrl: EXTERNAL_REDIRECTS[EXTERNAL_APPS.NAME_OF_APP]
}
The following steps helps to breakdown what happens when an application uses the Unified Sign in Page to authenticate and redirect to the application. The below steps are how an application can use VA.gov’s USiP to authenticate. For this example we will be using My HealtheVet (MHV)
- User navigates to the My HealtheVet website
- User clicks Sign In > Option 1: New VA sign in (recommended)
- User lands on the Unified Sign in Page (USiP) with an
application
andto
query parameters.- Note each application have different query parameters
- The USiP component reads the
application=mhv
query parameter and generates authentication routes based on the configuration for that application
Benefits of SAML
- Single Sign-On capabilities (authenticate on My HealtheVet or eBenefits and
Disadvantages of SAML
- More redirects/longer sign in experience
- 3rd-party controls maintenance times
Benefits of OAuth
- Less redirects
- Faster sign in experience for users
Disadvantages of OAuth
- No cross-domain session management