FHIR Chat · EHR Launch without requiring an EHR user to login again · smart

Stream: smart

Topic: EHR Launch without requiring an EHR user to login again

view this post on Zulip Sagar Shah (Sep 23 2020 at 18:16):

For an existing EHR application, after a user logs in and wants to open up an integrated 3rd party App (SMART on FHIR), Only parameters EHR needs to pass to App is launch and iss. What's the best practice to avoid requiring to user login again on auth server?
As I understand, launch is meant for the patient context and not meant for the current logged in user session, which is already authenticated on existing EHR system.
Any suggestions are appreciated!

view this post on Zulip Jenni Syed (Sep 23 2020 at 18:27):

Our system reuses the existing session if it launches from the chart (or if the system in question has an identity provider that supports SSOi sessions)

view this post on Zulip Jenni Syed (Sep 23 2020 at 18:29):

so the auth server only re-prompts for authentication if there isn't a session (iOS can make this fun) - or if there's a regulatory/security reason that we need to prompt for auth

view this post on Zulip Sagar Shah (Sep 23 2020 at 18:42):

Appreciate your inputs, Jenni! In our case, its even more tricky, as certain EHR applications are written in VB.NET (desktop applications) and some are written in Spring (Java web applications) and they all have different user management. We have the OAuth server (implemented & hosted in AWS), which needs to federate the user provider to both these EHR systems (desktop and web). But if they are logged into the EHR, then somehow user should not be required to login again on Auth Server.

view this post on Zulip Jenni Syed (Sep 23 2020 at 18:49):

We have similar scenarios, but have ways to hook into the local desktop session. Our OAuth server and identity provider are separate

view this post on Zulip Jenni Syed (Sep 23 2020 at 18:50):

so our identities are always federated in some way

view this post on Zulip Jenni Syed (Sep 23 2020 at 18:50):

How you handle this is outside of the specifications :)

view this post on Zulip Jenni Syed (Sep 23 2020 at 18:50):

(unless you use a different spec, like SAML, for federation... )

view this post on Zulip Sagar Shah (Sep 23 2020 at 20:10):

we too have oauth server and identity provider as separate. and we plan to federate identity provider during login using OAuth on the authorization server. It may work fine for web application, as that will involve sign-in from browser, which will tie Authorization session from oauth server. But not sure about VB.NET application as thats a desktop application

Last updated: Apr 12 2022 at 19:14 UTC


An HL7 Website -