Training
Certification
Microsoft Certified: Identity and Access Administrator Associate - Certifications
Demonstrate the features of Microsoft Entra ID to modernize identity solutions, implement hybrid solutions, and implement identity governance.
Configure multiple service identity providers
In addition to Microsoft Entra ID, you can configure up to two additional identity providers for a FHIR® service, whether the service already exists or is newly created.
Identity providers must support OpenID Connect (OIDC), and must be able to issue JSON Web Tokens (JWT) with a fhirUser claim, a azp or appid claim, and an scp claim with SMART on FHIR v1 Scopes.
Add the smartIdentityProviders element to the FHIR service authenticationConfiguration to enable additional identity providers. The smartIdentityProviders element is optional. If you omit it, the FHIR service uses Microsoft Entra ID to authenticate requests.
| Element | Type | Description |
|---|---|---|
| smartIdentityProviders | array | An array containing up to two identity provider configurations. This element is optional. |
| authority | string | The identity provider token authority. |
| applications | array | An array of identity provider resource application configurations. |
| clientId | string | The identity provider resource application (client) ID. |
| audience | string | Used to validate the access token aud claim. |
| allowedDataActions | array | An array of permissions the identity provider resource application is allowed to perform. |
JSON
{
"properties": {
"authenticationConfiguration": {
"authority": "string",
"audience": "string",
"smartProxyEnabled": "bool",
"smartIdentityProviders": [
{
"authority": "string",
"applications": [
{
"clientId": "string",
"audience": "string",
"allowedDataActions": "array"
}
]
}
]
}
}
}
If you don't need any identity providers beside Microsoft Entra ID, set the smartIdentityProviders array to null, or omit it from the provisioning request. Otherwise, include at least one valid identity provider configuration object in the array. You can configure up to two additional identity providers.
You must specify the authority string for each identity provider you configure. The authority string is the token authority that issues the access tokens for the identity provider. The FHIR service rejects requests with a 401 Unauthorized error code if the authority string is invalid or incorrect.
Before you make a provisioning request, validate the authority string by checking the openid-connect configuration endpoint. Append /.well-known/openid-configuration to the end of the authority string and paste it in your browser. You should see the expected configuration. If you don't, the string has a problem.
Example:
HTTP
https://yourIdentityProvider.com/authority/v2.0/.well-known/openid-configuration
You must include at least one application configuration and can add up to 25 applications in the applications array. Each application configuration has values that validate access token claims, and an array that defines the permissions for the application to access FHIR resources.
The identity provider defines the application with a unique identifier called the clientId string (or application ID). The FHIR service validates the access token by checking the authorized party (azp) or application id (appid) claim against the clientId string. If the clientId string and the token claim don't match exactly, the FHIR service rejects the request with a 401 Unauthorized error code.
The aud claim in an access token identifies the intended recipient of the token. The audience string is the unique identifier for the recipient. The FHIR service validates the access token by checking the audience string against the aud claim. If the audience string and the aud claim don't match exactly, the FHIR service rejects requests with a 401 Unauthorized error code.
Include at least one permission string in the allowedDataActions array. You can include any valid permission strings. Avoid duplicates.
| Valid permission string | Description |
|---|---|
| Read | Allows resource GET requests. |
Use Azure Active Directory B2C to grant access to the FHIR service
Troubleshoot identity provider configuration
Note
FHIR® is a registered trademark of HL7 and is used with the permission of HL7.