PerfectMind SSO Implementation

PerfectMind is versatile membership management software designed to help organizations of all sizes engage with their communities. It enables the seamless management of individual and family accounts, making tracking memberships, interactions, and shared resources easier.

• Contacts: Contacts represent leads, members, customers, or former members within PerfectMind. Each contact profile stores essential details, including membership type, expiration date, last interaction, attendance history, etc.

• Accounts: PerfectMind allows multiple contacts to be grouped under a single account, such as a Family Account. This feature enables families to create a shared login, manage financial resources collectively, earn and redeem cash rewards, and view all member details from a unified profile page.

Please refer to the PerfectMind Portal documentation for more information.

Use Cases

Here are some key use cases of integrating LoginRadius with PerfectMind:

• Seamless User Authentication Across Platforms: Users can log in once via LoginRadius and gain automatic access to their PerfectMind account without needing separate credentials.

• Automatic User Account Creation & Mapping: If a user logs in through LoginRadius but does not have a corresponding account in PerfectMind, the integration automatically creates one with pre-mapped data fields. This ensures a frictionless onboarding experience for new users without manual account setup.

• Centralized User Management & Security: LoginRadius serves as the central identity provider, enforcing authentication policies such as MFA, social login, or passwordless authentication before granting access to PerfectMind. This ensures compliance with security best practices while maintaining a smooth user experience.

How PerfectMind Works with LoginRadius

Integrating PerfectMind with LoginRadius enables seamless single sign-on (SSO). After authentication, users are redirected to their PerfectMind profile, activity booking, or any other portal page. This ensures a smooth and secure login experience across both platforms.

How It Works(At LoginRadius)

1. User Authentication: The user logs into LoginRadius using their preferred authentication method. Upon successful login, an access token is issued.

2. SSO API Call: The LoginRadius PerfectMind SSO API is called, and the access token and other required details are passed along.

3. SSO Login URL Retrieval: A PerfectMind SSO Login URL is returned in response to the API call.

4. User Redirection: The user is redirected to the received PerfectMind SSO Login URL, granting them access to their account within PerfectMind without requiring an additional login.

How It Works(At PerfectMind)

1. User Lookup: The LoginRadius PerfectMind SSO API makes a server-side call to PerfectMind’s APIs to check if a contact exists with the user’s email from LoginRadius.

2. Account & Contact Creation (If Needed):

   1. If no matching contact is found, LoginRadius creates a new account in PerfectMind with the mapped data points from the Admin Console.
   2. A new contact is then created using the user’s email and linked to the newly created account.

3. Session Creation: The LoginRadius PerfectMind SSO API establishes a session in PerfectMind.

4. SSO Login URL Retrieval: The PerfectMind SSO Login URL is generated and returned, enabling seamless redirection for the user.

Configuration

This guide provides a step-by-step process for integrating LoginRadius with the PerfectMind platform. The integration leverages LoginRadius's JavaScript interfaces and the LoginRadius PerfectMind SSO API to enable seamless authentication.

Admin Console Configuration

Follow the below-mentioned steps to configure PerfectMind in your LoginRadius Admin Console:

1. Log in to Admin Console and navigate to Integration > SSO Integration

2. Click “Add SSO Integration” and select the PerfectMind tile from the screen.

3. You must complete the “Add New PerfectMind” Form to set up your PerfectMind store. Please have a look at the explanation below for all the fields.

   1. Store Name: Retrieve this value from the Store URL for perfecmind. Ensure the Store Name meets the following validation rules:

      • Only the underscore (_) and hyphen (-) are allowed as special characters.
      • The name must start with a letter.
      • Only alphanumeric characters are permitted.
      • No spaces are allowed.
      • The length must be between 1 and 60 characters.
      • All entries are automatically converted to lowercase, even if entered in uppercase.

   2. API Endpoint: This is your organization's PerfectMind-hosted URL, which is used for API calls such as creating/updating records and managing login sessions. Example: https://companyname.perfectmind.com

   3. Access Credetials: Authentication details are required to connect and interact with the PerfectMind API securely.

      • Access Key: Access Key obtained from PerfectMind.
      • Client Number: Client Number obtained from PerfectMind.
      • Location ID: A PerfectMind GUID is the default location when calling APIs.
      • Profile ID: A PerfectMind GUID that determines the membership type.
      • Organization ID: A static value required for account creation.

   4. Field Mapping: Map the fields that should be passed into PerfectMind. Use the LoginRadius Admin Console to configure field mappings in the PerfectMind SSO settings.

   Required fields for LoginRadius-PerfectMind SSO:

   • Account_Name → FullName
   • Contact_Email → Email[0].Value
   • Contact_LastName → LastName
   • Contact_FirstName → FirstName

   To map additional fields, use the following prefixes:

   • Account fields: Prefix with Account_
   • Contact fields: Prefix with Contact_

4. Once you have entered all the required fields, click the save button to save all your configurations.

Integration

By default, when a consumer logs in through the hosted authentication page (https://sitename.hub.loginradius.com/auth.aspx), they are redirected to the profile page (https://sitename.hub.loginradius.com/profile.aspx).

To redirect users to the PerfectMind application after login, configure the authentication flow to include a predefined query parameter (e.g., loginflow=PMCMS). You can then customize the hosted pages codebase to detect this parameter and redirect users to the PerfectMind SSO Login URL.

Follow the steps below to implement this in the hosted pages. For further customization, refer to the Hosted Pages Customizations.

Customer is not Logged In (Auth Pages)

Follow the below-mentioned steps if Customer is not logged in already:

A user comes to the PerfectMind site to log in. Redirect the user from PerfectMind to the following LoginRadius Hosted auth page with a predefined query parameter, e.g., loginflow=PMCMS (you can choose any name for the query parameter):
https://sitename.hub.loginradius.com/auth.aspx?loginflow=PMCMS

(You will need to work with the PerfectMind Team to perform this action).

Add the following code to the before.js file in the Authentication Pages part in the Hosted Pages section of the Admin Console:

lr_raas_settings.login.success = function(response, flag) {
  if (response.Profile && queryString.loginflow && queryString.loginflow == "PMCMS") {
    var method = "GET";
    var url = "https://cloud-api.loginradius.com/sso/perfectmind/session";
    $.ajax({
      type: method,
      url: url,
      data: {
        "apikey": raasoption.apiKey,
        "access_token": LRObject.sessionData.getToken(),
        "perfectMindSiteName": "<DoS PerfectMindapp name from Admin Console>"
      },
      contentType: "application/x-www-form-urlencoded",
      dataType: "json",
      success: function(resultData) {
        console.log(resultData);
        // Code to handle on success
        window.location.href = resultData.URL;
      },
      error: function(response) {
        // Code to handle on error
        console.log(response);
      }
    });
  } else if (response.access_token) {
    redirectToReturnUrl(response.access_token);
  } else {
    // Additional handling for other cases
  }
};

Key Actions Performed by the Code Snippet:

• Detects the query parameter (loginflow=PMCMS).
• Retrieves the authentication token and makes an AJAX call to the LoginRadius PerfectMind SSO API.
• Handles the API response by redirecting the user to the PerfectMind SSO Login URL, ensuring an authenticated session and seamless login to the PerfectMind site.

Customer is Already Logged In (Profile Pages)

Follow the below-mentioned steps if the Customer is already Logged in:

A user comes to the PerfectMind site to log in. Redirect the user from PerfectMind to the following LoginRadius Hosted auth page with a predefined query parameter, e.g., loginflow=PMCMS (you can choose any name for the query parameter):
https://sitename.hub.loginradius.com/auth.aspx?loginflow=PMCMS

(You will need to work with the PerfectMind Team to perform this action).

The consumer will automatically be redirected to the https://sitename.hub.loginradius.com/profile.aspx page from the LoginRadius server-side IDX code.

Add the following code in before.js in the Profile Pages section of the Hosted Pages section of the Admin Console to redirect the user to the PerfectMind URL after they are redirected to the profile page:

let referrerURL = new URL(document.referrer);
// Query parameters
var queryString = LRObject.util.parseQueryString(referrerURL.search.replace('?', ''));
// Fetch token from Cookies
var access_token = LRObject.documentCookies.getItem('lr-session-token');
if (access_token && queryString.loginflow && queryString.loginflow == 'PMCMS') {
  $.ajax({
    type: 'GET',
    url: 'https://cloud-api.loginradius.com/sso/perfectmind/session',
    data: {
      apikey: raasoption.apiKey,
      access_token: access_token,
      perfectMindSiteName: '<DoS PerfectMindapp name from Admin Console>',
    },
    contentType: 'application/x-www-form-urlencoded',
    dataType: 'json',
    success: function (resultData) {
      console.log(resultData);
      // Code to handle on success
      window.location.href = resultData.URL;
    },
    error: function (response) {
      // Code to handle on error
      console.log(response);
    },
  });
}

Key Actions Performed by the Code Snippet:

• Extracts the query string from the document referrer.
• Retrieves the authentication token and calls the LoginRadius PerfectMind SSO API to obtain the PerfectMind Login URL.
• Redirects the user to the PerfectMind Login URL, ensuring seamless access.

PerfectMind and LoginRadius Actions

When integrating LoginRadius with PerfectMind, you may need to implement additional functionalities to ensure a seamless user experience. This section covers key actions, including:

• Single Logout - This feature ensures that when users log out of PerfectMind, they are also logged out of the hosted pages, resulting in a unified session management experience.

• Contact ID Management – When creating a new account, a Contact ID is generated in PerfectMind. This ID can be stored in LoginRadius for easy reference and user mapping.

• Address Synchronization – Details on syncing user address data from LoginRadius to PerfectMind, ensuring platform consistency.

Single Logout

To ensure a seamless logout experience, when a customer logs out from the PerfectMind site, they should also be logged out of the LoginRadius-hosted pages. Follow these steps to implement the single logout workflow:

Redirect on Logout:
When a user logs out of PerfectMind, configure the PerfectMind site to redirect them to:
https://sitename.hub.loginradius.com/auth.aspx?action=logout&return_url=<returnURL>
This request will invalidate the user’s session in LoginRadius and then redirect them to the specified return URL.

Configure the Return URL:
In the LoginRadius Admin Console, navigate to Settings > Configured Domains under the General Tab and add the return_url to ensure proper redirection after logout.
This setup ensures that users are logged out across both platforms, maintaining a consistent authentication flow.

Contact ID Management

The LoginRadius PerfectMind SSO API creates a corresponding contact in the PerfectMind site. This ContactID can be stored under the ExternalIds field in the LoginRadius user profile.

The ExternalIds field is an array of objects, each containing:

• Source – Identifies the external system (e.g., PerfectMind).
• SourceId – Stores the corresponding Contact ID from PerfectMind.

Example Structure:

"ExternalIds": [
  {
    "Source": "PerfectMind",
    "SourceId": "contactId" // Contact ID from the PerfectMind store
  }
]

For more details, refer to the LoginRadius Data Point documentation.

Address Synchronization

This workflow consists of two key parts:

1. Collecting Address Information During Registration
LoginRadius provides an Addresses field (an array of objects) with subfields such as Type, Address1, Address2, City, State, PostalCode, Region, and Country. This allows you to store customer address details, with the Type field used to flag residence status.

Recommended Flow:

• After the user logs in via LoginRadius, check if their profile contains an address.
• If the address is missing, display a form to collect it (this can be added to auth.aspx in the Hosted Pages section of the Admin Console).
• Once the user submits the form, validate their address by calling an external Residence Status API.
• Based on the API response, update the Type field in the address object.
• Use the LoginRadius Profile Update API to store the updated address in the user's profile.
• Finally, redirect the user to PerfectMind.

Code Example: Redirecting Users After Login:

 lr_raas_settings.login.success = function(response, flag) {
   if (response.Profile && queryString.loginflow && queryString.loginflow == "PMCMS") {
     var method = "GET";
     var url = "https://cloud-api.loginradius.com/sso/perfectmind/session";
     $.ajax({
       type: method,
       url: url,
       data: {
         "apikey": raasoption.apiKey,
         "access_token": LRObject.sessionData.getToken(),
         "perfectMindSiteName": "test"
       },
       contentType: "application/x-www-form-urlencoded",
       dataType: "json",
       success: function(resultData) {
         // Validate if address data is available
         // Call residence API to update the "Type" field
         // Update LoginRadius profile with the address details
         // Redirect user to PerfectMind SSO Login URL
         window.location.href = resultData.URL;
       },
       error: function(response) {
         let message = "Login Failed. Please try again.";
         if (response.responseJSON && response.responseJSON.ProviderErrorResponse) {
           message = response.responseJSON.ProviderErrorResponse;
         }
         setMessage(message, true);
         console.log(response);
       }
     });
   }
 };

2. Syncing Data from LoginRadius to PerfectMind

Option 1: Cloud Connector (Recommended for Seamless Syncing)

• LoginRadius Cloud Connector automatically synapses mapped data (e.g., Address, Residency Flag) from LoginRadius to PerfectMind whenever a profile is updated.
• LoginRadius configures this integration and requires no custom development.
• It includes logging, retry mechanisms, business logic, and data formatting to ensure reliable syncing.
• See Cloud Connectors documentation for more details.

Option 2: Webhook (For Custom Integrations)

• Webhooks allow you to subscribe to events such as Profile Update.
• Whenever a user updates their profile on LoginRadius, a webhook triggers an HTTP POST request to a configured URL.
• You can capture the user’s updated address and call PerfectMind APIs to sync the data in real time.
• See Webhook documentation for more details.

Best Practices

Here are a few best practices that you can follow while integrating PerfectMind with LoginRadius for a smoother user experience:

• Ensure Proper Field Validation: Follow the Store Name validation rules to prevent errors.

• Use Consistent Naming Conventions: Always map Account and Contact fields using the correct prefixes (Account_ and Contact_) to ensure seamless data synchronization. Also, maintain consistent case formatting, as all store names are converted to lowercase automatically.

• Secure API Credentials: Securely store the Access Key, Client Number, and Organization ID and do not expose them in front-end applications.

• Perform Thorough Testing: Validate that new user accounts are correctly created and mapped in PerfectMind. Also test redirection flows to ensure seamless authentication from LoginRadius to PerfectMind.

• Implement Logging & Monitoring: Enable API logs and error tracking to detect and troubleshoot integration issues.

FAQ’s

How can a consumer access their account if a staff member creates it in PerfectMind?

The consumer must register on LoginRadius using the same email address. Once registered, they can use the LoginRadius PerfectMind SSO workflow to log in to their existing PerfectMind account.

If an account is deleted in LoginRadius, will it also be removed from PerfectMind (or vice versa)?

No. LoginRadius and PerfectMind manage accounts separately. Deleting an account in one system does not automatically delete it in the other.

How can a staff member update a consumer’s password in PerfectMind?

Since LoginRadius handles authentication, staff members cannot update passwords directly in PerfectMind. They can:

• Use the LoginRadius Admin Console to reset the password.
• Call the LoginRadius Set Password API from the PerfectMind application.

Why does a user’s age appear as 0 in PerfectMind after signing up in LoginRadius?

PerfectMind automatically calculates age based on the Date of Birth (DOB) field. Ensure that:

• The Age field is not mapped in LoginRadius.
• Instead, map the DOB correctly:
  • Key: Contact_Birthdate
  • Value: Birth Date
• Store DOB in the format mm/dd/yyyy in LoginRadius before syncing.

Related Resources

• LoginRadius Documentation: Custom IDPs
• SAML 2.0 Overview