Add External Authentication to a portal


Must be running VETtrak version 18.3.0.x. or higher.

This feature requires the Authentication provider Add-on.

It is important that an experienced IT resource is available to manage this process.

Feature Summary

The external authentication provider allows the Student Portal, Trainer Portal (18.3.x or higher) and Progress Portal (19.1.x or higher) to authenticate users with an external authentication provider.

As of 20.1 in addition to the existing Primary email address match, you may also match on an External System code or Client Code.  This will require the claim name from the external provider to be entered on the Authentication Provider wizard.  Default claim name for primary email address is pre-populated.

The existing VETtrak username/password will continue to work alongside the external authentication option.  As from 19.1.1.x you may optionally switch off the use of the VETtrak credential through the VETtrak Security manager, toggling the relevant portal's authentication provider "Login with VETtrak credentials" to the "disabled" option:

Supported providers are:

The relevant portal will now display additional buttons above the username/password credentials section.  The user will click on the relevant provider (Google, ADFS or OpenId) to authenitcate on the providers external site.

There are many third party authentication providers.  If you are interested in one not presently listed above, express your interest with VETtrak support.

The email address has been selected for matching between the external authentication provider claim information and the VETtrak client record.  It is important to note that this matching needs to return a single client record.  If the same email address is recorded against two different client records the match will not be unique and the external authentication will not work for those client's. Those client's may continue to use the existing VETtrak client username and password.

It should also be noted that the portal will need to be served from IIS over a secure connection using HTTPS.  The third party providers will not authenticate to web sites operating on HTTP only.

NOTE: Logging out of the portal will NOT log out the user's device from the external provider.  It is the user's responsibility to log out external authentication providers which may make this feature unsuitable for multi-user devices such as a shared computer lab. 


Authentication Provider Add-on

Your VETtrak registration will need to be updated with this Add-on feature.  Contact support for enabling it. The Add-on will be shown in the Security Manager under your VETtrak application node.

When enabled and your VETtrak software has the updated registration key, you will see a new Authentication providers node in the respective portal in the Security Manager.  The external provider configuration information will be recorded in the relevant portal node.

Authentication provider configuration


It is important that an experienced IT resource is available to manage this process.

Each of the providers need to have the relevant portal application registered with their respective provider vendor.  This process will be unique to each provider, but generally involve visiting the relevant authentication provider's application registration portal. Details from the registration process will need to be placed into the relevant VETtrak Authentication providers portal node using the Security Manager.  Authentication provider links:

Microsoft OpenId configuration

Sign into the Microsoft's registration site and set up the registration.

Information you need:

    • Your portal location's web url address.
    • Your Authority address.  This may be the default url "".
    • On Microsoft Azure portal (
      - choose "Azure Active Directory" blade on the left menu.
      - then choose "App registrations"

    • Use the "New registration"  button in the content window
    • Name your portal application and put the portals root address in the redirect URI.  This needs to be a HTTPS address.

    • Take note of the Application Id which will be unique to the registered portal.  This is needed for the external authentication node configuration.

    • View the API permissions and ensure your application has access to the Microsoft graph.  This is likely the default setting.

    • Click on the Authentication option under Manage section and enable the "ID tokens" tick box and then click "Save".

    • After saving the application registration, open your VETtrak desktop software.
    • In VETtrak copy in the new Application Id and construct your Authority URL.

    • Once the portal has this information you will need to restart the portal's application pool in IIS for the external provider to be operable.
    • The portal logon will now show the provider(s) on the logon screen above the existing username/password entry boxes.

    • When a portal user clicks on the external provider, they will be prompted on the first occasion, from the third party provider, to grant permission for the portal application to access the profile/claim information.

    • You will then be prompted to sign in to the external provider or if you already have an active logon to the provider you will see the following screen.

Google Authentication

  1. Navigate to the Google apis website, sign in with your Google account credentials, click Create Project, provide a Project name, then click Create.
  2. Once the project is created, select it. From the project dashboard, click Go to APIs overview.
  3. Select Enable APIs and services. Search for Cloud Identity API, and select it. Then click Enable.
  4. In the left navigation, Credentials > OAuth consent screen, enter a Application Name, optional Application logo, then select your Support email address, enter the Authorized domains, Application Homepage link, optional policy and terms and click Save.

  5. In the Credentials tab, click Create credentials > OAuth client ID.
  6. On the "Create client ID" screen, select Web application.
  7. Paste the App Service URL you copied earlier into Authorized JavaScript Origins, then paste your redirect URI into Authorized Redirect URI. The redirect URI is the URL of your application appended with the path, /signin-google. For example, Make sure that you are using the HTTPS scheme. Then click Create.

  8. On the next screen, make a note of the values of the client ID and client secret.

    The client secret is an important security credential. Do not share this secret with anyone or distribute it within a client application.
  9. Enter these details on the relevant Application - Authentication providers node in the VETtrak Security Manager:

Active Directory Federated Services

The portal requires four pieces of information to be set up in VETtrak software (Security Manager -> Application/Role management -> <portal name> -> Authentication providers):

  • Metadata Address eg. where is your own ADFS server FQDN.
  • Wtrealm eg. (this needs to match exactly with your "Relying party identifiers", see ADFS step 1 below)
  • Identity logging-in users using this client field.   Select either:
    • Primary email address
    • External system code
    • Client code
  • Claim name. Claim name URI of the returned set of claims for the external provider.


Setting up on your ADFS will require a relying party trust configured to the portal:

  1. Identifiers:

  2. Endpoints:

  3. Issuance transform rules:
    The only claim necessary is the users email address. This must map back to a clients primary email address in VETtrak’s database.

Did you find it helpful? Yes No

Send feedback
Sorry we couldn't be helpful. Help us improve this article with your feedback.