Authorizing Connect Application Access
Permissions Attribute
Authorization within Connect applications is determined entirely by the multi-valued permissions SAML attribute. Each value contains a single structured <Permission> XML block.
Attribute:
| Name | permissions |
| Format | Custom XML |
| Multiplicity | Multiple <AttributeValue> elements allowed |
| Required | Yes |
Example:
<saml:Attribute Name="permissions">
<saml:AttributeValue>
<Permission>
<org_code>lcca</org_code>
<access_type>FACILITY</access_type>
<ccn>123456</ccn>
<is_admin>true</is_admin>
<activity_log_summary>true</activity_log_summary>
<activity_log_details>true</activity_log_details>
<restrict_alert_snooze>false</restrict_alert_snooze>
<restrict_alert_resolution>false</restrict_alert_resolution>
<cmi_connect_access>true</cmi_connect_access>
<pdpm_connect_access>false</pdpm_connect_access>
<rehab_connect_access>true</rehab_connect_access>
<custom_connect_access>true</custom_connect_access>
<quality_connect_access>true</quality_connect_access>
</Permission>
</saml:AttributeValue>
<saml:AttributeValue>
<Permission>
<org_code>lcca</org_code>
<access_type>SEGMENT</access_type>
<region>Southwest</region>
<is_admin>false</is_admin>
<activity_log_summary>true</activity_log_summary>
<activity_log_details>false</activity_log_details>
<restrict_alert_snooze>true</restrict_alert_snooze>
<restrict_alert_resolution>false</restrict_alert_resolution>
<cmi_connect_access>false</cmi_connect_access>
<pdpm_connect_access>true</pdpm_connect_access>
<rehab_connect_access>false</rehab_connect_access>
<custom_connect_access>false</custom_connect_access>
<quality_connect_access>true</quality_connect_access>
</Permission>
</saml:AttributeValue>
</saml:Attribute>Expected Fields Per <Permission>:
<Permission>:| Field | Type | Required | Notes |
|---|---|---|---|
or_gcode | string | Yes | Organization code (e.g., lcca) |
access_type | string | Yes | One of: FACILITY, SEGMENT, CORPORATION |
ccn | string | Yes ifaccesstype=FACILITY | CMS Certification Number |
region | string | Yes ifaccesstype=SEGMENT | Region name |
is_admin | boolean | Yes | Whether user is admin for this context |
activity_log_summary | boolean | Yes | Access to activity log summary |
activity_log_details | boolean | Yes | Access to activity log details |
restrict_alert_snooze | boolean | Yes | Whether snoozing alerts is restricted |
restrict_alert_resolution | boolean | Yes | Whether resolving alerts is restricted |
cmi_connect_access | boolean | Yes | Access to CMI Connect |
pdpm_connect_access | boolean | Yes | Access to PDPM Connect |
rehab_connect_access | boolean | Yes | Access to Rehab Connect |
custom_connect_access | boolean | Yes | Access to Custom Connect |
quality_connect_access | boolean | Yes | Access to Quality Connect |
Final Integration Steps Checklist
Before going live, ensure:
- Metadata or endpoints and certs were provided and validated
- Correct SP ACS/metadata URLs used in IdP config
- User attributes (
firstName,lastName,email) included -
permissionsattribute correctly structured as XML - Response signature and cert format match requirements