Single Sign On for Standalone Apps and Patient Portal

[Harpreet Gill]

Hello,

Our organization is working towards developing a standalone app which authenticates with Authorize endpoint provided by FHIR server.

We followed tutorial for starting with standalone apps and were able to get an app working using patient portal credentials. We currently authenticate against our CERT domain. 

One of the requirements for us is to provide SSO ability to our users. 

In our workflow, users will access our app after opening their patient portal(XXXXX.stagingiqhealth.com/ - CERT) inbox. 

In this situation, expectation is that our app provides SSO. In other words it should work without asking for user credentials again because users have already authenticated for patient portal on same browser session. 

This is where we got stuck. I tried to look at conversations in this group regarding SSO but I didn't find the answer I was looking for.

We follow steps mentioned in tutorial to launch our app with iss parameter. FHIR client js takes over the remaining authorization workflow.

Currently, if we try to access our app (in same browse session on another tab) after logging in to the patient portal, we get redirected to authorize end-point and Authorization Server asks for user credentials again. 

On the other hand, If we launch our app first and go through authorization process then launch patient portal, patient portal is able to get required token/session information from authorize end point without having to ask for portal credentials again.

Patient Portal and our app get redirected to same Authorization Server (https://sandboxcernerhealth.com/oauth/authenticate). So we are wondering if there is something that we are missing in our Authorization workflow or SSO is not available with Patient Portal ? 

App Registration Details : 

App Type: patient

FHIR Spec: dstu2 - "https://fhir-myrecord.sandboxcerner.com/dstu2/XXXXX"

Authorized: true

Standard Scopes:

launch

profile

openid

online_access

launch/patient

Patient Scopes:

patient/Encounter.read

patient/Observation.read

patient/Patient.read

Thanks,

Harpreet

[Matt Randall (Cerner)]

Cerner does have a feature for organizations developing their own applications (those covered provided directly by the organization or from another entity with a business associate agreement) to be used with the portal that allows such applications to essentially "skip" the consent interaction (the consent interaction requires the user to reauthenticate even if they are already SSOed at the portal/identity provider).  This feature, however, does not reliably work with iframes - the presumption would be that your application is being loaded in a first-level browsing context.

I've reached out to the developer app registration team about whether they have the ability to manually flip this flag for your testing.

On Wednesday, November 27, 2019 at 12:58:01 PM UTC-6, Harpreet Gill wrote:

Hello,

[Shriniket Sarkar (Cerner)]

Hello Harpreet,

                        Can you provide with the Client ID for your application for us to try and enable this functionality for you ?

Thanks,

Shriniket

On Wednesday, November 27, 2019 at 12:58:01 PM UTC-6, Harpreet Gill wrote:

[Dhanya joy]

Were you successful in getting this working " skip the SSO when launching app from patient portal"?