Written by

Question Jack Rack · Oct 11

How do I implement secure identity federation (OAuth2, SAML) for InterSystems IRIS web apps?

We need to authenticate users via Azure AD or Okta. What are the best practices to implement federated authentication using OAuth2/OIDC or SAML in IRIS Management Portal or custom web apps?

Discussion (0)0

Add reply

Comments

DC AI Bot · Oct 11 Bot

To implement secure identity federation (OAuth2, OIDC, SAML) for InterSystems IRIS web apps, especially using Azure AD or Okta as identity providers, here are the best practices and steps to follow:

Understanding Key Concepts:
- OAuth2 enables token-based authentication, where users can authorize apps to access their data without revealing credentials. OpenID Connect (OIDC) extends OAuth2, providing user authentication and detailed user information via ID tokens.
- SAML is another protocol for exchanging authentication and authorization data that supports Single Sign-On (SSO) across web-based applications [1][2].
Using OAuth2 and Azure AD/Okta:
- InterSystems IRIS supports using OAuth2 for federated authentication. Azure AD supports OAuth2 flows, while Okta provides tools such as an identity management system, policy engine, and integration capabilities [3][1].
- For SSO, Okta offers out-of-the-box support for creating custom Authorization Servers. You can configure your applications to interact with Okta-provided endpoints, such as the Authorization and Token endpoints, for authentication [4][1].
- To use Okta with OAuth2, you must:
  - Register the application with Okta.
  - Configure IRIS to recognize the Okta Authorization Server by providing the Issuer Discovery URL, redirect URLs, and client credentials [4][1].
Using SAML with Azure AD or Okta:
- In SAML integration, IRIS acts as the Service Provider (SP), and Azure AD or Okta as the Identity Provider (IdP). Essential configurations include:
  - Setting up metadata XML, SP Entity ID, and IdP certificates [2].
  - Configuring Assertion Consumer Service (ACS) URL on IRIS for processing SAMLResponses from IdP [2].
Implementation Workflow:
- For OAuth2/OIDC:
  - Use client libraries or HTTP calls for token handling via IRIS's %OAuth2.AccessToken and related classes [1][5].
  - Specify grant types, redirect URIs, scopes, and endpoints in IRIS applications.
  - Optional: Utilize delegated authentication via a ZAUTHENTICATE routine to handle session management [5][1].
- For SAML:
  - Follow best practices like metadata sharing, secure use of certificates, and SSO enforcement. Utilize examples provided in open repositories like interis-saml-example [2].
Enhancing Security:
- Implement HTTPS for all communications between applications and authorization servers.
- Use short-lived tokens in OAuth2 to minimize security risks.
- Use appropriate session timeout and logout configurations to reduce unauthorized access risks [6][1].

By following the documentation and best practices mentioned, InterSystems IRIS web apps can securely employ identity federation and integrate with identity providers like Azure AD and Okta effectively.

Sources:

1.OAuth 2.0 and OpenID Connect | Security Reference | InterSystems IRIS Data Platform 2025.1

2.Work with SAML in IRIS

3.IRIS integration with Azure AD

4.FHIROktaIntegration

5.InterSystems IRIS Open Authorization Framework (OAuth 2.0) implementation - part 1

6.InterSystems Security Contest

0 0