Unified Sign in Page

🧠 Introduction

The Unified Sign in Page is a page on [VA.gov](http://VA.gov) that is an extendable sign in experience for applications are outside the scope of VA.gov but have partnerships. This essentially allows other applications like My HealtheVet to redirect to VA.gov and use our website to authenticate and redirect to their page in an authenticated state.

📱 Applications

There are currently 5 external applications (with a default application if not specified) on the Unified Sign in Page. Each application has specific requirements and configurations to ensure users can sign into the respective sites.

• My HealtheVet (MHV)
• My VA Health (Cerner)
• eBenefits
• VA OCC Mobile
• VA Flagship Mobile
• Default (Web)

Adding a new application requires that the requestor fill out a short questionnaire to help generate a configuration for the application in a relatively easy manner. There are choices between OAuth and SAML that each have advantages and disadvantages outlined in the OAuth vs SAML page

🏄‍♂️ New Application Onboarding

1. Name of the application
2. What endpoints should redirect to the service?
   1. Environment endpoints
   2. Query parameter requirements
   3. Are the endpoints/query parameter dynamic?
3. Which Auth Broker do you require (SAML or OAuth)?
4. Level of Assurance requirements (LOA1, LOA3, IAL1, IAL2)
5. Service Providers allowed for Sign up (ID.me or Login.gov)?
6. Service Providers allowed for Login (ID.me, Login.gov, DS Logon, MHV)?
7. Web-based or mobile-based?

Sample of SAML configuration (USiP)

// sample for SAML
[EXTERNAL_APPS.NAME_OF_APPLICATION]: {
  allowedSignInProviders: {
    logingov: true,
    idme: true,
    dslogon: true,
    mhv: true
  },
  allowedSignUpProviders: {
    logingov: true,
    idme: true,
  },
  queryParams: {
    allowPostLogin: true,
    allowOAuth: false
  },
  isMobile: false,
  OAuthAllowed: false,
  requiresVerification: false,
  externalRedirectUrl: EXTERNAL_REDIRECTS[EXTERNAL_APPS.NAME_OF_APP]
}

Sample of OAuth configuration (USiP)

// sample for OAuth
[EXTERNAL_APPS.NAME_OF_APPLICATION]: {
  allowedSignInProviders: {
    logingov: true,
    idme: true,
    dslogon: true,
    mhv: true
  },
  allowedSignUpProviders: {
    logingov: true,
    idme: true,
  },
  queryParams: {
    allowPostLogin: true,
    allowOAuth: true
  },
  isMobile: false,
  OAuthAllowed: true, // enables OAuth
  requiresVerification: false,
  externalRedirectUrl: EXTERNAL_REDIRECTS[EXTERNAL_APPS.NAME_OF_APP]
}

❓ How does it work

💡 TL/DR: External application redirects to our Unified Sign in Page (`/sign-in`) with specific query parameters that we parse in order to build the various authentication URLs

The following steps helps to breakdown what happens when an application uses the Unified Sign in Page to authenticate and redirect to the application. The below steps are how an application can use VA.gov’s USiP to authenticate. For this example we will be using My HealtheVet (MHV)

1. User navigates to the My HealtheVet website
2. User clicks Sign In > Option 1: New VA sign in (recommended)
3. User lands on the Unified Sign in Page (USiP) with an application and to query parameters.
   1. Note each application have different query parameters
   2. The USiP component reads the application=mhv query parameter and generates authentication routes based on the configuration for that application

SAML vs OAuth

Benefits of SAML

• Single Sign-On capabilities (authenticate on My HealtheVet or eBenefits and

Disadvantages of SAML

• More redirects/longer sign in experience
• 3rd-party controls maintenance times

Benefits of OAuth

• Less redirects
• Faster sign in experience for users

Disadvantages of OAuth

• No cross-domain session management