PT Direct: Enabling SSO (OIDC)

Single sign-on ("SSO") can be enabled inside your Physitrack Direct account, letting your practitioners authenticate using an OIDC-compatible authentication service, such as Azure AD, Okta, Auth0, and SURFconext (Netherlands).

This is a free feature. To enable SSO in your Physitrack Direct account, please contact your Physitrack representative.

Physitrack in the OIDC flow

To learn more about OIDC, view this video (1 hour, YouTube).

In the OIDC flow, Physitrack is a " Relying Party", as shown below.

1. Add Physitrack to your OIDC provider

  1. Access your OIDC provider's console
  2. Add Physitrack as an "application". The redirect URI is https://(instance_name).physitrack.com/process_sso
  3. You should receive a client id and client secret that you will need in the next step.

Physitrack uses the sub claim as the key to identify users between systems.

2. Configure OIDC inside your Physitrack Direct account

  1. Login to your Physitrack Direct account, either as account owner, or as a user with permissions to access the "Authentication" module.
  2. Go to Authentication and complete the form below. 
    Most of this information should be readily available from your OIDC provider. All fields are required.

    You should be able to retrieve this information from https://(domain.of.your.oidc.provider)/.well-known/openid-configuration
    You can use a JSON-formatting tool to more easily view the values.

    • Client id
      The id generated for this client (Physitrack is a client of the OIDC provider) by your OIDC provider.
    • Secret
      The secret generated for this client by your OIDC provider.
    • Issuer
      Domain of the token issuer. 
    • Authorization endpoint
      URL as provided by the OIDC provider.
    • Token endpoint
      URL as provided by the OIDC provider.
    • JWKS URI
      URL as provided by the OIDC provider.
    • Userinfo endpoint
      URL as provided by the OIDC provider.
    • Limit practitioner login to SSO only
      When enabled, practitioners in this Physitrack Direct account can login only through SSO, and not with the email + password combination.
      This means that practitioners will not be able to login to Physitrack for iOS.

3. Adding practitioners to your Physitrack Direct account

This is done independently from setting up OIDC.

Note that:

  • Before a practitioner can login with SSO, the practitioner's account needs to have been created (provisioned) in Physitrack. This can be done either manually or via an API.
    Our OIDC implementation does not allow for provisioning and de-provisioning of practitioner accounts. For larger practices, we offer an API to provision and de-provision practitioner accounts.
  • Each practitioner must have a unique email address inside Physitrack.
  • The email address of the practitioner inside Physitrack does not need to match the practitioner email inside the identity provision system (e.g. Azure AD or SURFconext).
  • When a practitioner has enabled SSO for their Physitrack account, they will receive an email with a one-time password to the email address that they are registered with on Physitrack. The practitioner will need to enter this password to activate the SSO connection.

4. Done. Practitioners can now login using SSO.

Practitioners in your Physitrack Direct account can now login from the Physitrack login page and click the "Single Sign On" button to authenticate via your OIDC provider.

Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.

Get in touch: Contact Physitrack Contact Physitrack