Built in Identity provider
Kodjin FHIR Server natively supports open-source OAuth 2.0 provider - Keycloak. Any other external IdP conformant with OAuth 2.0 and OIDC can be configured to work with Kodjin FHIR server.
Setup Multi-Factor-Authorization flow
Configuring Multi Factor Authentication (MFA) is not supported by Kodjin FHIR Server for external OAuth 2.0 providers. Please, use external Identity provider references for configuring MFA.
Two-factor authentication (2FA) is an additional layer of security that requires users to provide an additional form of authentication beyond their password when logging in. This can help protect against unauthorized access to accounts, even if an attacker has obtained a user’s password. Keycloak, an open-source identity and access management solution, offers support for 2FA through various authentication flows and mechanisms.
By default, Two-factor authentication is not enabled in the standard or SMART App launch browser authentication flow of Keycloak. Let’s see how we can add it as part of a sample application.
Log in into the Admin Console and select “Authentication” in your Fhir
Realm. This is the area where you can configure and manage different credential types.
Select SMART App launch. This is a flow that is initiated when a user attempts to access a protected resource using a web browser. This flow typically involves redirecting the user to a login page, where they can enter their credentials. If the user’s credentials are valid, they will be granted access to the protected resource.
On the SMART login
flow select Actions and choose Add execution
, select OTP form.
Within this flow, the Conditional OTP Form follows the standard username/password form. However, it is not a Required step by default. Make it Required by selecting the “Browser Conditional OTP” radio-button.
Configuring the OTP Policy
To configure the OTP Policy for your Fhir
Realm, follow these steps:
Navigate to the Keycloak administration console and log in as an administrative user. In the left-hand menu, click on “Authentication” and then select the “OTP Policy” from the “Policies” tab.
From there, you will be able to choose the OTP type (default is Time based), the Duration, the Supported applications and so on.
Enforcing Two-factor authentication for users
It is possible to enforce 2FA at user level in Keycloak. To do that, you can set the “Configure OTP” required action for the user. To do this, follow these steps:
- Navigate to the Keycloak administration console and log in as an administrative user.
- In the left-hand menu, click on “Users” and then select the user you want to enforce 2FA for.
- Click on the “Actions” tab in the user’s profile page.
- Click on the “Add Required Action” button and select the “Configure OTP” option from the list.
- Click on the “Save” button to save the changes.