Groups keyboard shortcuts have been updated
Dismiss
See shortcuts

UDAP Client app testing - Technical requirements

28 views
Skip to first unread message

Arul Britto

unread,
Aug 13, 2024, 11:12:51 AM8/13/24
to UDAP
Team,
As part of UDAP Client app testing process, one of the technical requirements says 

 If candidate is supporting UDAP federated identity, the Tiered OAuth tests must also be completed using the UDAP Test Tool.

But in the UDAP Test tool, we do not see the Test case for the same.

Please clarify

Thanks
Britto

II.B. 1. - [MANDATORY] (G) Candidate must participate in Dynamic Registration and Authentication as validated by the UDAP Test Tool, including reporting of passing results as defined by such program to indicate readiness within the FHIR ecosystem. Prior to submitting this completed self-assessment, candidate must provide a recent (within 90 days) passing technical report for each applicable test from UDAP.org. If candidate is supporting UDAP federated identity, the Tiered OAuth tests must also be completed using the UDAP Test Tool.
{6957} 

UDAP

unread,
Aug 13, 2024, 12:02:04 PM8/13/24
to UDAP
Hi Britto,

The UDAP Test Tool relies on screenshots taken as implementers cross test with each other to demonstrate successful authentication using UDAP Tiered OAuth. The EMR Direct identity server can be used as one such counter party. You can find the endpoint and test user credentials on the Identity Services tab of this spreadsheet:


Since you state your system is a Client app, it sounds like you will also need a counter party server to include in the testing. You can include the EMR Direct server from the Servers tab (at the same link above) when testing your client. You'll be able to take screenshots or a short video of progress from your app to 1) the "ABC Hospital System" page showing your app's details as trusted and the linked option to use existing credentials (if you dynamically register successfully and pass the IdP hint correctly as per the UDAP Tiered OAuth profile), and then 2) the user sign-in page at the "Health Insurance, Inc." Identity Service.

Here is a video that will help you know what to look for, but starting with the HealthToGo app instead of your Client app:


At the 5 stars level, showing successful server validation within your client app would also be something to capture in a screen shot. 

Presumably you have already captured screenshots showing successful completion of 4 star capabilites? That would be another prerequisite to the 5 star capabilites.

EMR Direct also monitors this forum and will respond to questions posted here about questions specific to testing UDAP Tiered OAuth at their connectathon servers. You may find answers to testing UDAP Tiered OAuth in other threads within this forum.

Thank you,
The UDAP Team

Ariella Darlington

unread,
Aug 13, 2024, 7:51:05 PM8/13/24
to UDAP

What is the contact information or forum where I can speak with others re:  UDAP federated identity partners?

Julie Maas

unread,
Aug 14, 2024, 8:30:11 AM8/14/24
to udap-d...@googlegroups.com
Ariella,
You can write to this forum or to colla...@udap.org.

Arul Britto

unread,
Aug 22, 2024, 10:41:00 AM8/22/24
to udap-d...@googlegroups.com
Thanks Team for the response. it helps

We have one more question , on the below , Please clarify on the UDAP Green Lock part. 

The Commission is looking for evidence that client applications at the 5 STARS level validate trust using UDAP Server Metadata before directing the user to, or making a token request at, the server’s OAuth server. This includes both FHIR servers and Identity Providers. 

Clients should display the UDAP Green Lock to indicate trust with the server before proceeding, e.g. on the page where the user selects the FHIR server or Identity Provider, or in an interstitial page that is displayed before directing the user to the OAuth sign in page, and such that a user or app (in the case of client credentials grant) may only proceed with authentication to an untrusted server after actively acknowledging that the server is not trusted, or as may be permitted by local policy.

 For example, a client application’s use of a directory of trusted FHIR endpoints or Identity Services that are continuously validated by an authoritative source may be used to meet this requirement.

Thanks
Britto

--
You received this message because you are subscribed to the Google Groups "UDAP" group.
To unsubscribe from this group and stop receiving emails from it, send an email to udap-discuss...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/udap-discuss/51058c76-67d4-4ba3-bbf7-65d176201fb3n%40googlegroups.com.

UDAP

unread,
Aug 22, 2024, 12:48:26 PM8/22/24
to UDAP
Hi Britto,

Thank you for your message. 

Please see the current version of the UDAP Branding Guidelines, attached. This includes information about how to obtain the art itself, once you are successfully testing a capability in which display of the green lock is required and is then also permitted by the branding guidelines.

Let us know what additional questions you have, if additional clarification is needed.

UDAP Branding Guidelines 1.19.pdf
Reply all
Reply to author
Forward
0 new messages