Active Directory domain and username

[Brian Nantz]

Is it possible in Cerner's SMART on FHIR launch to receive additional information either in the claims or the access token?  I'm looking for the username and domain name from Active Directory for our system to automatically authenticate and authorize the user if they don't already exist in the system.

[Michele Mottini]

Yes, you can use OpenID - specify scopes 'openid' and 'profile' and you get back an extra id_token with the details about the user (see https://openid.net/specs/openid-connect-core-1_0.html)

  - Michele  

  CareEvolution Inc

[Mark Butler]

Michele,

Are the scopes the basic ones you set when registering the app?

MArk B.

[Michele Mottini]

Are the scopes the basic ones you set when registering the app?

Those are the scopes the app CAN use, but the app has to request them during authentication to actually produce any effect

  - Michele

  CareEvolution Inc

[Brian Nantz]

Thank you for your help!  I am able to successfully launch our app from Cerner using SMART on FHIR.  And I set the scope='launch openid profile' the spec is a little vague on if this is legal or not. http://www.hl7.org/fhir/smart-app-launch/scopes-and-launch-context/index.html has a table that makes it seem that launch and openid are mutually exclusive, but Cerner seems to take it fine.  However when I decrypt the id_token it does not contain the Active Directory domain and username.  Is this a setting on the Cerner side to include this or is this something I have to request or negotiate somehow?

[Jenni Syed (Cerner)]

Hi Brian,

When we federate identities, there is no AD assumption/requirement. The id_token contains the unique subject information as well as the link to the unique resource in FHIR that represents that user, which is the main requirement of the specification.

Can you describe why you're needing the AD info, or how the app would behave if AD is not the identity being federated?

Regards,

Jenni

[Brian Nantz]

Thanks for the quick response!  For our product, we want to simplify the administration and UX when integrating with Cerner.  Our users are willing to make AD a prerequisite for using the SMART on FHIR launch if they do not have to manually administer users and they don't have to login each time the app is launched.  I realize this goes a bit beyond the specification requires but is an enhancement they are asking for both for an improved UX and compliance as to which users viewed/changed what patient data.

If the federated identity is from AD then our application can look up group membership and automatically provision the user and grant the correct authorization role in our system.

If the identity federated is not from AD, then the administrator for our application will have to manually provision the user in our system.  Then depending on how the administrator configures the system, the user will have to login each time the app is launched or the user will login once and the token is cached for a period of time.