SSO from ZorgDomein

NB: This is a draft specification!


ZorgDomein supports single sign on (SSO) to external applications ("apps") for both practitioners and patients that use ZorgDomein. After SSO to an app, this app can exchange data with ZorgDomein through a FHIR API. This SSO-mechanism is based on SMART on FHIR, see SMART Application Launch Framework Implementation Guide for detailed documentation. This framework uses the OpenID Connect specification for authentication of a platform user to a third party app. Authorization to the FHIR API of the platform application is established through OAuth 2.0. The SMART on FHIR specification defines two different ways for launching an external application:

  • EHR launch: the application launches from an existing EHR or Patient Portal session.
  • Standalone launch: the application launches as a standalone application and actively requests user authentication at the EHR.

ZorgDomein only supports the EHR launch (where ZorgDomein takes the role of an EHR).

Public vs confidential apps

The OAuth2 specification defines two types of apps: confidential and public apps. The differentiation is based upon whether the execution environment within which the app runs enables the app to protect secrets. Confidential apps are able to protect secrets, public apps aren’t. A client secret may be used to authenticate the app when requesting access tokens. Pure client-side apps (for example, HTML5/JS browser-based apps, iOS mobile apps, or Windows desktop apps) apps can provide adequate security, but they may be unable to “keep a secret” in the OAuth2 sense. In other words, any “secret” key, code, or string that is statically embedded in the app can potentially be extracted by an end-user or attacker. Hence security for these apps cannot depend on secrets embedded at install-time. The ZorgDomein SMART App Hub considers all apps as public apps. This means that we don’t issue client secrets, and that we do not require HTTP authentication when requesting access tokens.

Developer tip

Try using the SMART Health IT Sandbox to test your app before starting integration tests with the ZorgDomein application. This way you can quickly test your app for different launch parameters.