Configuring EHR Authorization Settings - SMART on FHIR - English - Foundation 22.1 - OnBase - Essential - Premier - Standard - external - Premier - Standard - Essential

SMART on FHIR

Platform
OnBase
Product
SMART on FHIR
Release
Foundation 22.1
License
Premier
Standard
Essential

The SMART on FHIR application is launched by the EHR. The EHR will call a launch URL specified in the EHR configuration. EHR will then send a launch token and the FHIR server's endpoint URL. In order for this to happen, EHR must be authorized with your application, so it can provide the proper access tokens to integrate with OnBase.

To configure the EHR authorization settings:

  1. Select the application you want to configure from the SMART on FHIR Applications dialog box.
  2. Click EHR Authorization. The EHR Authorization Settings dialog box for the application you selected is displayed.
  3. In the Client ID field, enter the GUID provided by the EHR Authorization server for the client that should be associated with the SMART on FHIR launch. This is a required field.
  4. In the Client Secret field, enter the plain text secret (password) that is configured for the client specified in the Client ID field.
  5. In the Redirect URL field, enter a properly formatted URL that will be used by the EHR Authorization to return a redirect response (HTTP 302) to the SMART on FHIR client Logic when a successful authentication occurs. It is recommended that you populate this field with the URL of the OnBase Application Server (or load balancer) associated with the SMART on FHIR application. Optionally, you can append "/redirect" to the base URL to improve clarity when troubleshooting. For example: https://myserver/appserver/redirect.
  6. Select the Approved Launch Issuers tab to create a list of URLs to be accepted as issuers (iss=<url>) of a SMART on FHIR launch. This is often the base URL to the EHR Authorization server. For example: https://myEhrAuthzServer. Type the URL in the field provided, and then click Add.
  7. Select the Approved Token Issuers tab to create a list of URLs to be accepted as issuers of OpenID tokens. This is often the base URL to the EHR Authorization server. For example: https://myEhrAuthzServer. Type the URL in the field provided, and then click Add.
  8. Select the Scopes tab to add a list of scopes required by the EHR Authorization server to execute the launch code exchange and Token grants. You may need to consult with the EHR vendor to define this list. Add a scope by typing the name of the scope in the field provide, and then click Add.
    Note:

    Administrators should limit the scopes that are requested during the SMART on FHIR app launch to avoid granting the client unnecessary access to resources.

  9. Select the Endpoints tab to add endpoint connections between SMART on FHIR and the EHR Authorization server. Endpoint settings are optional.
    Note: Only one type of each endpoint type is allowed.

    If needed, do the following to add endpoints:

    • From the Type drop-down list, select an endpoint type. Options include:

      • Authorize. This is the URL to the EHR FHIR server's configured Authorization server Authorize endpoint. For example: https://example.com/ehrauthz/connect/authorize.

      • Capability Statement. This is the URL to the EHR FHIR server's Capability Statement. This document is used to determine the Authorize and Token endpoints for the FHIR server that issued the SMART on FHIR launch. The FHIR server is usually paired with an Authorization server whose Authorize endpoint is specialized to support a SMRT on FHIR launch code exchange for an OAuth2 Authorization code. For example: https://example.com/fhir/R4/metadata.

      • Discovery Document. This is the URL to the EHR Authorization server's Discovery document. Examples include: https://example.com/ehrauthz/.well-known/openid-configuration or https://example.com/ehrauthz/.well-known/smart-configuration.

      • Jwks. This is the URL to the EHR Authorization server's JSON Web Key set. For example: https://example.com/ehrauthz/.well-known/openid-configuration/jwks.

      • Token. This is the URL to the EHR FHIR server's configured Authorization server Token endpoint. For example: https://example.com/ehrauthz/connect/token.

    • In the URL field, enter a server location for the endpoint.

    • Click Add. The endpoint is added to the Endpoints tab.

    Note the following when adding endpoints:

    • If the Capability Statement endpoint is not specified, the SMART on FHIR standard Capability Statement location of [launch-issuer]/metadata will be used to determine the Authorize and Token endpoints.

    • If the Discovery Document endpoint is not specified, the OpenID Connect standard Discovery document location of [token-issuer]/.well-known/openid-configuration will be used to determine the EHR Authorization server's JWKS endpoint.

    • If the Jwks endpoint is specified, the SMART on FHIR service will not require an outbound HTTP request to retrieve the Hyland IdP's Discovery document. This endpoint should only be used if troubleshooting or optimizing for performance. If that endpoint will not change, set it here to eliminate the extra "hop."

    • If Authorize and Token endpoints are specified, the SMART on FHIR service will not require an outbound HTTP request to retrieve the EHR FHIR server's Capability Statement. If those endpoints will not change, set them here to eliminate the extra "hop."

  10. Click Save.