Selerix Developer Tools
Single Sign-On (SSO) Quick Start
SAML is used when special arrangements have been made with Selerix during the prerequisites phase to support Single Sign-On (SSO) authentications. It may be used strictly for authentication, or it may also include Selerix data transmittal XML in a SAML Attribute. For security purposes Selerix supports SAML v1.1 strictly for the purpose of authentication, where employee census is either preloaded on the case or transmitted via SOAP before posting the login SAML to BenSelect. SAML v2.0 is required when employee data will also be included in the SAML XML. SAML messages are transmitted to BenSelect via secure HTTP POST.
The diagram below illustrates the essential SAML options that are available when interfacing with BenSelect. Dotted lines indicate flow variations based on your particular integration:
Because your system is the SAML identification authority and you have registered a URL with Selerix that uniquely identifies you during the Prerequisite phase, a typical SAML authentication request (AuthnRequest) is unnecessary. Instead, begin by sending BenSelect a SAML Response XML to the unique login URL Selerix provides. If the SAML authentication passes validation and the identified enrollee exists in the system, BenSelect begins the enrollment process. If there is an issue with the SAML and BenSelect cannot verify the authenticity of the SAML message, the user remains at the login page.
If an optional "keep alive" URL is defined within the SAML, a signal will be sent to this URL periodically to indicate the enrollment is still in progress and the connection should remain active. You also have the option of specifying either a plain return URL or a SAML return URL which BenSelect contacts when enrollment is complete. Use a plain notification URL if you will obtain enrollment data later, such as via BenSelect reporting. Use a SAML return URL to have BenSelect post the enrollment data as part of the notification.
For the purpose of this Quick Start, the sample XML below contains the minimal information required to launch a BenSelect enrollment using SAML. If greater detail is required, please refer to the SAML walkthrough that contains a more complete SAML XML example embellished with fascinating descriptions of each section of the SAML XML. Orange text indicates information that you supply and which therefore will differ from the example.
<samlp:Response ID="dc7625f4-34b5-445b-80a8-fb82736958d5" Version="2.0"
IssueInstant="2017-03-29T18:37:04Z"
Destination="https://benselect.com/Enroll/Login.aspx?path=BES"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<saml:Issuer
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">BenefitEnrollmentServices
</saml:Issuer>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<Reference URI="#dc7625f4-34b5-445b-80a8-fb82736958d5">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<InclusiveNamespaces PrefixList="#default samlp saml ds xs xsi"
xmlns="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transform>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>HRwpFkr0fXsutvKjtccTTMgOfro=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>
Z3guGHKpnQqNDz+Gr5dB1MSiml6kA/XlUoVXGkfr4+Xl1xd5eEdNNciSWEE3cRUA7FhB9Vg96SVT2skskyB4PU
SLk3I50rnz8OMhfk+fZ789Iv2Z6dG9vXk40I/xAh9zHAOaEs01rZKJsvk/pkx2UjHI0531rAe17VnZeFg9CLE=
</SignatureValue>
<KeyInfo>
<X509Data>
<X509Certificate>
MIIFSjCCBDKgAwIBAgIRAOeKzOuXpJC6fOyrXo9hDAAwDQYJKoZIhvcNAQEFBQAwYjELMAkGA
1UEBhMCVVMxITAfBgNVBAoTGE5ldHdvcmsgU29sdXRpb25zIEwuTC5DLjEwMC4GA1UEAxMnTm
V0d29yayBTb2x1dGlvbnMgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTEwMTAxODAwMDAwMFo
XDTE0MTIyODIzNTk1OVowgdoxCzAJBgNVBAYTAlVTMQ4wDAYDVQQREwU5MTMxMTELMAkGA1UE
CBMCQ0ExEzARBgNVBAcTCkNoYXRzd29ydGgxITAfBgNVBAkTGDk1MDAgVG9wYW5nYSBDYW55b
24gQmx2ZDEkMCIGA1UEChMbQmVuZWZpdCBTZXJ2aWNlIENlbnRlciBJbmMuMQ8wDQYDVQQLEw
ZPbmxpbmUxHDAaBgNVBAsTE1NlY3VyZSBMaW5rIFNTTCBQcm8xITAfBgNVBAMTGHd3dy5teWJ
lbmVmaXRjaG9pY2VzLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAhqRt+4XGn+vw
vwR9GCHdg4sToLJNybtCSCVoPAMJfRrOWPfHd2Zg2w4EAgIG/UJFydUekAEAmZIMMKGbDhIdy
58H/uA0iyRA6Ue7Zj7Yzhsr/46M/xx9t3q98HXDjnNHo03cEGGf0RD9BdVTvTS5oCDoT2DKQE
n8GZhI2pUPcmUCAwEAAaOCAgQwggIAMB8GA1UdIwQYMBaAFDxB4o8ICKlMJYmNbcU40PyFjGI
XMB0GA1UdDgQWBBRWLXhbimwKmKKr2+vgQYIbRc5NOjAOBgNVHQ8BAf8EBAMCBaAwDAYDVR0T
AQH/BAIwADAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwawYDVR0gBGQwYjBgBgwrB
gEEAYYOAQIBAwEwUDBOBggrBgEFBQcCARZCaHR0cDovL3d3dy5uZXR3b3Jrc29sdXRpb25zLm
NvbS9sZWdhbC9TU0wtbGVnYWwtcmVwb3NpdG9yeS1jcHMuanNwMHoGA1UdHwRzMHEwNqA0oDK
GMGh0dHA6Ly9jcmwubmV0c29sc3NsLmNvbS9OZXR3b3JrU29sdXRpb25zX0NBLmNybDA3oDWg
M4YxaHR0cDovL2NybDIubmV0c29sc3NsLmNvbS9OZXR3b3JrU29sdXRpb25zX0NBLmNybDBzB
ggrBgEFBQcBAQRnMGUwPAYIKwYBBQUHMAKGMGh0dHA6Ly93d3cubmV0c29sc3NsLmNvbS9OZX
R3b3JrU29sdXRpb25zX0NBLmNydDAlBggrBgEFBQcwAYYZaHR0cDovL29jc3AubmV0c29sc3N
sLmNvbTAjBgNVHREEHDAaghh3d3cubXliZW5lZml0Y2hvaWNlcy5jb20wDQYJKoZIhvcNAQEF
BQADggEBAIexaq/s8Yaqdy8rU1A6HwSuFTh+iYVrnmOnQf9rgO91rKglXAyL7G6o4IzESP1tx
OrGGDu6H+6kQOPbKKLLw+VHDD0gLayOkVr57BV+7KL7CuhG0s/hDP+25AFNGv1Q5ZbERqFzQg
LQ9KQ9s9pjpPqZlKMA8oeZzwGIh8JYe1CYdf5G84e0y1SKzQkJ62Y+ajjxVb5hZMddyE3dYj5
om0k411CDHtIOfFZFTsHbKhtt9cRY5e4Ub6Nc0dtTXW4YNbP3TR+Xrpv9qqa3s37gBx+rp1IO
yU5h/tGjGr/lo60gXGfuhA+puykpH9YY/oqmr1cjOyWsync12MZgUJ49O/Y=
</X509Certificate>
</X509Data>
</KeyInfo>
</Signature>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</samlp:Status>
<saml:Assertion Version="2.0" ID="dafcd9b9-a583-4d71-bfba-e5f6d902b45b" IssueInstant="2017-03-29T18:37:04Z"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
<saml:Issuer>BenefitEnrollmentServices</saml:Issuer>
<saml:Subject>
<saml:NameID>010449</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData NotOnOrAfter="2017-03-29T19:37:04Z"
Recipient="https://benselect.com/Enroll/Login.aspx?path=BES" />
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotBefore="2017-03-29T17:37:04Z" NotOnOrAfter="2017-03-29T19:37:04Z">
<saml:AudienceRestriction>
<saml:Audience>Selerix</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement AuthnInstant="2017-03-29T18:37:04Z">
<saml:AuthnContext>
<saml:AuthnContextClassRef>
urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified
</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
<saml:AttributeStatement>
<saml:Attribute Name="Transmittal"NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"></saml:AttributeValue>
<saml:AttributeValue>
<?xml version="1.0" encoding="utf-8"?>
<Transmittal
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<Applicants>
<Applicant ID="010449" EmployeeID="010449">
<Address>
<Line1>8135 Brighton Early</Line1>
<City>McKinney</City>
<State>TX</State>
<Zip>75075</Zip>
</Address>
<PhoneHome>1231231234</PhoneHome>
<Email>dotsmall@slavamail.com</Email>
<SSN>123-12-1234</SSN>
<FirstName>Dotty</FirstName>
<LastName>Small</LastName>
<Sex>Female</Sex>
<Employment>
<HireDate>2017-01-10T00:00:00</HireDate>
<EligibilityDate>2017-04-01T00:00:00</EligibilityDate>
<Title>Tuba Player</Title>
<Department>Symphonics</Department>
<Location>Uptown Center</Location>
<PayGroup>Biweekly</PayGroup>
<Salary>76543.00</Salary>
<HoursPerWeek>40</HoursPerWeek>
</Employment>
<LegalStatus>Employee</LegalStatus>
<Relationship>Employee</Relationship>
<BirthDate>1982-03-30T00:00:00</BirthDate>
<UserID>487662-89</UserID>
</Applicant>
</Applicants>
< /Transmittal >
</saml:Attribute>
</saml:AttributeStatement>
</saml:Assertion>
</samlp:Response>
