Thanks for the quick response! For our product, we want to simplify the administration and UX when integrating with Cerner. Our users are willing to make AD a prerequisite for using the SMART on FHIR launch if they do not have to manually administer users and they don't have to login each time the app is launched. I realize this goes a bit beyond the specification requires but is an enhancement they are asking for both for an improved UX and compliance as to which users viewed/changed what patient data.
If the federated identity is from AD then our application can look up group membership and automatically provision the user and grant the correct authorization role in our system.
If the identity federated is not from AD, then the administrator for our application will have to manually provision the user in our system. Then depending on how the administrator configures the system, the user will have to login each time the app is launched or the user will login once and the token is cached for a period of time.