OpenID Connect Configuration
Supported EWA versions
OpenID Connect authentication and authorization is supported in EWA from version 20.10.0
Option for Rolepicker on login to Insight and support for claim with semi-colon separated departments list was introduced in v 21.10.3
Current EWA system version is 22.6.43229.0.
Identity Provider requirements
- Must support OpenID Connect
codeflow. - Required claims in
id_tokenandaccess_token:- A claim that contains the User ID.
- A claim that contains the User display name/full name (ex.
"name": "Mykke Plasme"). - A claim that contains a values that is unique for the physical person behind the user.
- This claim value is used when limiting access to patient journals for individuals.
This value needs to be unique for the person because some identity providers support multiple users per person.
We recommend using Norwegian F-number or D-number for this because it's unique per person.
Ex: A patient has requested that her cousin which works in the ambulance service should not have access to her patient journals in EWA.
- This claim value is used when limiting access to patient journals for individuals.
- Claim(s) containing the users role(s) in the EWA system.
- Claim or claims that provide a list of department ids (RESH) that the user works in.
- If single claim with all departments; value must be a semi-colon separated list.
- Claim(s) containing the organization id(s) that the user works in/is part of is required if rolepicker is disabled in configuration.
Identity Provider configuration
The identity provider must be configured with a registration for the EWA system with allowed redirect URIs to Insight and the EWA app.
| EWA Client Application Redirect URI | |
|---|---|
| EWA Client version < 24.3.580 | ms-app://s-1-15-2-1427503942-819391212-1481878552-3635517321-350163763-2944999806-3002464108/ |
| EWA Client version >= 24.3.580 (Release 28) | ms-app://s-1-15-2-541905458-1169984836-1082313567-1035107589-2619802505-3952432671-805970590/ |
The Insight redirect URI is based on where the Insight web application is deployed.
Ex. redirect URI thats used in the inter-regional EWA test environment https://dev.ewa.bliksund.com/insight
This section will not provide specific steps for specific identity providers since the system is created to be provider agnostic.
Configuration of OpenID Connect in EWA
OpenID Connect must be configured on servers and clients running the EWA system.
Server side configuration
Configuration of the server-side components happen through the Migration and Seeding tool.
See Migration and Seeding Tool documentation for guide on how to use this tool.
Client side configuration
The client is instructed to use OpenID Connect login if the settings.json file contains an "Authentication" JSON object which contains an "OidcClientOptions" object and values for what claim types it can find user id, user full name, and organization id(s).
Example settings.json file from clients configured for the inter-regional test system:
{
"Version": 2,
"Url": {
"Primary": "https://dev.ewa.bliksund.com/clientapi/",
"Training": "https://test.bliksundhf.no/clientapi/"
},
"Dataset": "Azure",
"LockTimer": 15,
"EncryptDatabase": true,
"Locale": "no",
"Authentication": {
"OidcClientOptions": {
"ClientId": "4a821d50-11a1-483f-8782-e865ab3033a1",
"ClientSecret": null,
"Authority": "https://login.microsoftonline.com/73935988-7e75-46c2-8cc6-d2d91985f67b/v2.0",
"Scope": "openid profile api://4a821d50-11a1-483f-8782-e865ab3033a1/Client"
},
"UserIdClaimType": "preferred_username",
"NameClaimType": "name",
"OrganizationClaimType": "extn.OrganizationIdentification",
"CurrentOrganizationId": null
}
}