Contact Butterfly Support to set up your custom logon sub-domain.
- Example: https://myhospital.butterflynetwork.com
- Provide your preferred email address to Butterfly Support to grant you access as an Enterprise Administrator. Only an Enterprise Admin account can access the security configuration settings within Butterfly Cloud.
Log into Butterfly Cloud with your Enterprise Admin account.
- Your login page will be at your Butterfly Network Enterprise URL.
- Click your user initials in the top right of the window and select Enterprise Settings.
SSO is the first tab, which allows you to configure the Single Sign-On integration with your corporate Identity Provider (IdP) solution.
Service Provider Details for all IdP solutions
- SSO URL: https://sso.butterflynetinc.com/saml2/idpresponse
- Logout URL: https://sso.butterflynetinc.com/saml2/logout
- Entity ID (aka Audience): urn:amazon:cognito:sp:us-east-1_DPQCgPjWG
- Email Address: NameID
- Email Address: DomainUser.Email
- Signing certificate: http://manual.butterflynetwork.com/SSO-butterfly-public-cert.pem
- Examples include: Okta, Imprivata, Microsoft ADFS
It is recommended to keep both Allowed Login Types enabled during the transition period to SSO authentication.
- Once you have successfully validated the SSO integration you may disable the ability for users to login with Butterfly Credentials.
- Service Provider Details - this information is static for your instance of Butterfly Enterprise. Please enter the provided information when configuring Butterfly Network as an SSO-enabled application in the configuration screen(s) of your Identity Provider’s (IdP) software.
At this point you should be ready to set up the ADFS connection with your Butterfly Enterprise Cloud. The connection between ADFS and Butterfly is defined using a Relying Party Trust (RPT).
Select the Relying Party Trusts folder from AD FS Management, and click Add Relying Party Trust... from the Actions sidebar. This starts the configuration wizard for a new trust.
- Leave Claims aware selected and click Start.
- In the Select Data Source screen, select the last option, Enter Data About the Party Manually.
- On the next screen, enter a Display name that you'll recognize in the future, and any notes you want to make.
- On the next screen, click Next. No encryption certificate is required.
- On the next screen, check the box labeled Enable Support for the SAML 2.0 WebSSO protocol. The service URL will be https://sso.butterflynetinc.com/saml2/idpresponse. Note that there's no trailing slash at the end of the URL.
- On the next screen, add a Relying party trust identifier of urn:amazon:cognito:sp:us-east-1_DPQCgPjWG
- You can configure any access policy you like, we will revisit this later when configuring logout.
- Review your configuration, then click Next.
- On the final screen use the Close button to exit and open the Claim Rules editor.
Once the relying party trust has been created, you can create the claim rules and update the RPT with minor changes that aren't set by the wizard. By default the claim rule editor opens once you created the trust.
- To create a new rule, click on Add Rule. Create a Send LDAP Attributes as Claims rule.
On the next screen, using Active Directory as your attribute store, do the following:
- From the LDAP Attribute column, select E-Mail Addresses.
- From the Outgoing Claim Type, select E-Mail Address.
- Create a second claim. From the LDAP Attribute column, select E-Mail Addresses.
- In the Outgoing Claim Type, type DomainUser.Email.
- Click on Finish to save the new rule.
- Create another new rule by clicking Add Rule, this time selecting Transform an Incoming Claim as the template.
On the next screen:
- Select E-mail Address as the Incoming Claim Type.
- For Outgoing Claim Type, select Name ID.
- For Outgoing Name ID Format, select Email.Leave the rule to the default of Pass through all claim values.
- Finally, click Finish to create the claim rule, and then Apply to finish creating rules. Click OK to exit the rule wizard.
- To ensure that sessions are removed from both Butterfly and the IdP when a user logs out of Butterfly we will enforce that users provide credentials each time they log in. In the Access Control Policy that you configured in Adding a Relying Party Trust, verify that Require users to provide credentials each time at sign-in is checked.
Butterfly sends signed logout requests, so we will configure a certificate to verify those requests. In the Properties menu for the Relying Party Trust select the Signature tab.
- Click Add..
- Select the provided Butterfly verification certificate from the filesystem. You may have to change the file type selection dropdown to include All files (.) - the certificate is in PEM format.
- Click Apply.
- Click OK.
Finally we will configure the logout endpoint to which Butterfly will send logout requests.
- In the Endpoints tab, click on Add SAML... to add a new endpoint.
- For the Endpoint type, select SAML Logout.
- For the Binding, choose POST.
- For the Trusted URL, enter: https://sso.butterflynetinc.com/saml2/logout
- Go to your Butterfly Network subdomain address. E.g. https://myhospital.butterflynetwork.com
- Select the Login with Company Name Option (Blue Button).
- Ensure that you are taken to your corporate IdP login page.
- Login with your corporate credentials - you should be automatically taken to Butterfly Cloud upon successful login.
- Logout from Butterfly Cloud - you should be taken back to the Butterfly Cloud login page.
- Open the Butterfly iQ App on your mobile device.
- At the login screen - tap the Enterprise User? Log in here option.
- On the following screen enter your Butterfly Network subdomain. (e.g. myhospital.butterflynetwork.com).
- Select the Login with Company Name Option (Blue Button). Note: If you have enabled MDM Shared Device Rapid Log In this step will be skipped.
- Ensure that you are taken to your corporate IdP (mobile) login page.
- Login with your corporate credentials - you should be automatically taken to the Butterfly iQ App upon successful login.
- Logout from Butterfly iQ App - you should be taken back to the corporate Butterfly iQ App login page.