How do I implement secure identity federation (OAuth2, SAML) for InterSystems IRIS web apps?

Question

Question

Jack Rack · Oct 11

We need to authenticate users via Azure AD or Okta. What are the best practices to implement federated authentication using OAuth2/OIDC or SAML in IRIS Management Portal or custom web apps?

Discussion (1)2

Log in or sign up to continue

score 0 · Answer 1 · 2025-10-11T01:25:45-04:00

To implement secure identity federation (OAuth2, OIDC, SAML) for InterSystems IRIS web apps, especially using Azure AD or Okta as identity providers, here are the best practices and steps to follow:

Understanding Key Concepts:
- OAuth2 enables token-based authentication, where users can authorize apps to access their data without revealing credentials. OpenID Connect (OIDC) extends OAuth2, providing user authentication and detailed user information via ID tokens.
- SAML is another protocol for exchanging authentication and authorization data that supports Single Sign-On (SSO) across web-based applications [1][2].
Using OAuth2 and Azure AD/Okta:
- InterSystems IRIS supports using OAuth2 for federated authentication. Azure AD supports OAuth2 flows, while Okta provides tools such as an identity management system, policy engine, and integration capabilities [3][1].
- For SSO, Okta offers out-of-the-box support for creating custom Authorization Servers. You can configure your applications to interact with Okta-provided endpoints, such as the Authorization and Token endpoints, for authentication [4][1].
- To use Okta with OAuth2, you must:
  - Register the application with Okta.
  - Configure IRIS to recognize the Okta Authorization Server by providing the Issuer Discovery URL, redirect URLs, and client credentials [4][1].
Using SAML with Azure AD or Okta:
- In SAML integration, IRIS acts as the Service Provider (SP), and Azure AD or Okta as the Identity Provider (IdP). Essential configurations include:
  - Setting up metadata XML, SP Entity ID, and IdP certificates [2].
  - Configuring Assertion Consumer Service (ACS) URL on IRIS for processing SAMLResponses from IdP [2].
Implementation Workflow:
- For OAuth2/OIDC:
  - Use client libraries or HTTP calls for token handling via IRIS's %OAuth2.AccessToken and related classes [1][5].
  - Specify grant types, redirect URIs, scopes, and endpoints in IRIS applications.
  - Optional: Utilize delegated authentication via a ZAUTHENTICATE routine to handle session management [5][1].
- For SAML:
  - Follow best practices like metadata sharing, secure use of certificates, and SSO enforcement. Utilize examples provided in open repositories like interis-saml-example [2].
Enhancing Security:
- Implement HTTPS for all communications between applications and authorization servers.
- Use short-lived tokens in OAuth2 to minimize security risks.
- Use appropriate session timeout and logout configurations to reduce unauthorized access risks [6][1].

By following the documentation and best practices mentioned, InterSystems IRIS web apps can securely employ identity federation and integrate with identity providers like Azure AD and Okta effectively.

Sources:

1.OAuth 2.0 and OpenID Connect | Security Reference | InterSystems IRIS Data Platform 2025.1

2.Work with SAML in IRIS

3.IRIS integration with Azure AD

4.FHIROktaIntegration

5.InterSystems IRIS Open Authorization Framework (OAuth 2.0) implementation - part 1

6.InterSystems Security Contest