PhenixID

Step by Step – Medimo MFA, SSO and authorization with PhenixID Authentication Services

Summary

This document will guide you through the steps to enable multi-factor authentication and Single-Sign On for the dutch healthcare prescribing and administration solution Medimo (https://www.medimo.nl/), using OpenID Connect.

System Requirements

  • PhenixID Authentication Server 4.0 or higher
  • Medimo technical contact

Instruction

Overview

This document will guide you through the steps to enable multi-factor authentication and Single-Sign on for Medimo.

The authorative permissions in Medimo are also populated by PhenixID Authentication Services.

PhenixID Authentication Services acting as OpenID Connect Provider

Add output filter

  1. Shutdown PhenixID Authentication Services
  2. Download https://files.phenixid.se/s/5KYK7o2eoswR77J/download
  3. Place the file in <phenixid_server_root>/mods/*api-authenticat*/com/phenixidentity/api/authenticate/handler/output/custom/ (create custom folder if missing)
  4. Start PhenixID Authentication Services

Setup PAS as OpenID Connect Provider

  1. Login to Configuration Manager.
  2. Scenarios->OIDC
  3. Add a new relying party:
    – client_id = medimo
    – client_password = <create a password and set>
    – Allowed redirect uri:s = <ask the Medimo admin which value(s) to use>
  4. Create a new OpenID Connect provider by selecting the desired authentication method. Follow the scenario guidelines for values.
    Use the Authorization Code Flow.
    Allow medimo as an allowed RP to use the OP.
  5. (Points 6-9 below is only necessary with PAS version 4.0 or previous).
  6. Click Execution flow
  7. Expand Token endpoint
  8. Click Add Valve
  9. Select PropertyAddValve
  10. Enter name = token_type and value = Bearer. Make sure the valve is placed last in the execution flow.
  11. Save the changes
  12. Set the proper amr claim value by following this guide.
  13. Click Advanced->Modules
  14. Locate the com.phenixidentity~phenix-api-authenticate module
  15. In the tenants section, locate the tenant id for the OP just setup
  16. Add these settings on the tenant:
    “outPutHandler”: “com.phenixidentity.api.authenticate.handler.output.custom.OIDCEndpointsDataConverter”,

    And “userinfo_medimo” to allowedOperation.

    Example:

  17. Click Stage changes and Commit changes
  18. Click Advanced->Pipes.
  19. Add the pipe below.
    NB! The autorisatie item property defines the claim that will be used for permissions. In the example below it’s “hardcoded” to doctor,nurse.
    Ask your Medimo contact for expected values. Map the values to your user store permission control, such as AD user groups. Reconfigure the pipe using the correct valves according to your requirements and values.
    Please ask PhenixID for additional assistance.

    {
    “id”: “userinfo_medimo”,
    “valves”: [
    {
    “name”: “ItemCreateValve”,
    “config”: {
    “dest_id”: “userinfo_props”
    }
    },
    {
    “name”: “PropertyAddValve”,
    “config”: {
    “name”: “authorization”,
    “value”: “{{request.Authorization}}”
    }
    },
    {
    “name”: “PropertyReplaceValve”,
    “config”: {
    “source”: “authorization”,
    “dest”: “access_token”,
    “token”: “Bearer “,
    “replacement”: “”
    }
    },
    {
    “name”: “SessionResolveValve”,
    “config”: {
    “alias”: “{{item.access_token}}”,
    “require_session”: “true”,
    “require_auth_session”: “false”
    }
    },
    {
    “name”: “PropertyAddValve”,
    “config”: {
    “name”: “name”,
    “value”: “{{session.givenName}} {{session.sn}}”
    }
    },
    {
    “name”: “PropertyAddValve”,
    “config”: {
    “name”: “given_name”,
    “value”: “{{session.givenName}}”
    }
    },
    {
    “name”: “PropertyAddValve”,
    “config”: {
    “name”: “family_name”,
    “value”: “{{session.sn}}”
    }
    },
    {
    “name”: “PropertyAddValve”,
    “config”: {
    “name”: “email”,
    “value”: “{{session.mail}}”
    }
    },
    {
    “name”: “PropertyAddValve”,
    “config”: {
    “name”: “autorisatie”,
    “value”: “doctor”
    }
    },
    {
    “name”: “PropertyAddValve”,
    “config”: {
    “name”: “autorisatie”,
    “value”: “nurse”
    }
    },
    {
    “name”: “PropertyAddValve”,
    “config”: {
    “name”: “sub”,
    “value”: “{{session.user_id}}”
    }
    },
    {
    “name”: “PropertyAddValve”,
    “config”: {
    “name”: “preferred_username”,
    “value”: “{{session.mail}}”
    }
    },
    {
    “name”: “PropertyRemoveValve”,
    “config”: {
    “name”: “access_token,authorization”
    }
    }
    ],
    “created”: “2017-11-13T09:53:46.595Z”
    }

  20. Click Stage changes and commit changes
  21. Click Advanced->OIDC OP
  22. Locate the OP created in previous step
    – Add a userinfo_endpoint param.
    “userinfo_endpoint”: “https://<your_phenixid_server_domain>/api/authentication/userinfo_opm?tenant=<the tenant id>”,
     Add values to the claims_supported array:
    “email”,
    “email_verified”,
    “amr”,
    “autorisatie”
    Example:
  23. Click Stage changes and commit changes
  24. Click Scenarios->OIDC-><Your OP>
  25. Click View OP Discovery
  26. Copy the OP discovery URL and send it, together with client_id and client_secret, to the Medimo administrator

Configure Medimo

  1. The Medimo administrator will handle this part.

Test

The Medimo administrator will supply instructions on how to test the setup.

DISCLAIMER
Information provided in this document is for your information only. PhenixID makes no explicit or implied claims to the validity of this information. Any trademarks referenced in this document are the property of their respective owners.

The origin of this information may be internal or external to PhenixID. PhenixID makes all reasonable efforts to verify this information.

PhenixID - support.phenixid.se