Skip to main content

IdP Federation

Delegate clinician authentication to your hospital's existing identity provider. No separate password store. Clinicians log in with their existing hospital credentials.

Activateโ€‹

# In .env
SPRING_PROFILES_ACTIVE=prod,idp
IDP_CLIENT_ID=your-client-id
IDP_CLIENT_SECRET=your-client-secret
IDP_USER_ID_CLAIM=email
IDP_USER_LOOKUP_QUERY=http://hapi-fhir:8080/fhir/Practitioner?identifier=http://myorg.com/staff/{identifier}

Azure Active Directoryโ€‹

IDP_ISSUER_URI=https://login.microsoftonline.com/{tenant-id}/v2.0
IDP_USER_ID_CLAIM=preferred_username

Register your app in Azure AD App registrations:

  • Redirect URI: https://auth.demo.ajsmart.com/login/oauth2/code/idp
  • Scopes: openid profile email

Oktaโ€‹

IDP_ISSUER_URI=https://{your-okta-domain}/oauth2/default
IDP_USER_ID_CLAIM=email

Epic IdPโ€‹

IDP_ISSUER_URI=https://fhir.epic.com/interconnect-amrs-fhir/oauth2
IDP_USER_ID_CLAIM=fhirUser

How it worksโ€‹

  1. Clinician hits /oauth2/authorize
  2. Auth server redirects to /oauth2/authorization/idp
  3. Spring Security redirects to the upstream IdP
  4. Clinician logs in with hospital credentials
  5. IdP returns id_token with configured claim
  6. PractitionerLookupService resolves claim โ†’ FHIR Practitioner ID
  7. SMART token issued with fhirUser = Practitioner/{id}
Registration ID is hardcoded

The registration ID idp is hardcoded in the server entry point. All config must use idp as the key under spring.security.oauth2.client.registration.

Full configuration reference: auth.docs.ajsmart.com/developer/idp-federation