Auth Clients and Single Sign-on
PHC allows you to configure third-party authentication clients for Single Sign-on (SSO). This makes the login process easier and frees you from having to create usernames and passwords for new PHC users. It also provides an extra layer of security for an organization's account.
PHC offers preconfigured options to set up Facebook and Google authentication as identity providers. It also offers a Custom Identity Provider option that allows you to set up a wide variety of SSO providers.
The Auth Client tab is only available for Enterprise account customers. The tab does not appear at other account levels. To become a LifeOmic Enterprise customer, contact your LifeOmic representative.
Configure an Authentication Client
Configuring an SSO client is an advanced operation. Assistance from LifeOmic is available.
A user needs to belong to the default Admin group or have those permissions to complete this procedure. To add a user to the default Admin group, complete the Add a user to a group with the Users tab procedure.
From any page in PHC, click the logo at the top of the page.
From the home page, click the Account Info tile.
From the account info page, click Auth Client to see the currently configured Authentication Client.
To add a new client, click Create Client.note
Only one Web client is allowed per account. If you need to delete an existing client, click the icon next to the client name.
Enter a name in the Name field.
The Callback URL(s) and the Logout URL(s) populate automatically.
Under Custom Identity Provider Type select from:
- OpenID (if you enter an issuer (URL) in the issuer textbox, it autopopulates the other validating information requested for openID setup)
An Alternate OIDC Providers is usually not required. An Alternate OIDC Provider is required for use with SMART on FHIR applications. See below for more information on alternate OIDC providers.
Click Save Changes.
Configure a Custom Identity Provider
The information needed for a custom identity provider is specific to that provider and is normally publicly available. For example, when you want to configure Microsoft Azure, consult the Microsoft Azure documentation to find the necessary information for the fields in the SSO (Single Sign-On) section of PHC.
Example Configuration for
This example is for an organization leveraging Shibboleth IdP
- Callback URLs:
- Logout URLs:
- Metadata document URL:
- Email attribute mapping:
- Name attribute mapping:
Example User/Browser Flow
In addition to the diagrams below, you can also reference the AWS Cognito documentation.
Example URLs and parameters, using Okta for the IdP:
Configure an Alternate OIDC Provider
Configuring an alternate OIDC provider is used to link identities from an external Open ID Connect (OIDC) provider to PHC users. Once an OIDC identity has been linked to a PHC user, the user will no longer need to log into the PHC when they have previously authenticated with the OIDC provider. Typically this is used in our SMART on FHIR app so that EHR users don't have to log into the PHC when they launch the app. To configure the alternate OIDC provider you will need to specify the following:
- Name: a name you want to use to identify the provider
- Client Id: the OAuth2 client id for the parent application that authenticates with the OIDC provider. For Cerner EHRs this will be a UUID and can be obtained from Cerner.
- OIDC Issuer: the OAuth2 issuer URL for the provider. For Cerner EHRs this
will be of the form
TENANT_IDis the ID of your Cerner tenant and can be obtained from Cerner.
- Jwks URL: A URL that can be fetched to get the JSON Web Key Sets for the
provider. For Cerner EHRs this is
Linking OIDC Subjects to PHC Users
After the alternate OIDC provider has been configured, then any of our applications that run in the context of the OIDC provider (e.g. our SMART on FHIR app) will prompt the user for a password on first use, and then will link their OIDC user to the PHC user automatically so they will not have to log in to the PHC on subsequent uses of the application.
An administrator that has both Account and Access privileges can also manually link an OIDC user to a PHC SSO user so that the OIDC user will never have to log into the PHC. To manually link an OIDC user, follow this procedure:
- Hover over the provider row and then click the icon to bring up the list of linked users.
- Click the Link New Identity button.
- Enter the user's OIDC username (e.g. EHR username) in the OIDC User Name field.
- Enter the user's PHC SSO username in the PHC User Name field. If you
don't know the user's PHC username then you can use the PHC User Search
field to find it. PHC SSO usernames will usually be of the form
accountidis the ID of your PHC account, and
email@example.com the user's email address. The exact format of the username will vary depending on the SAML provider that is being used.