Created by Daniel Kutac, Sales Engineer, InterSystems

Warning: if you get confused by URLs used: the original series used screens from machine called dk-gs2016. The new screenshots are taken from a different machine. You can safely treat url WIN-U9J96QBJSAG as if it was dk-gs2016.

Part 2. Authorization server, OpenID Connect server

9 12
2 4,486

Created by Daniel Kutac, Sales Engineer, InterSystems

Part 3. Appendix

InterSystems IRIS OAUTH classes explained

In the previous part of our series we have learned about configuring InterSystems IRIS to act as an OAUTH client as well as authorization and authentication server (by means of OpenID Connect). In this final part of our series we are going to describe classes implementing InterSystems IRIS OAuth 2.0 framework. We will also discuss use cases for selected methods of API classes.

The API classes implementing OAuth 2.0 can be separated into three different groups according to their purpose. All classes are implemented in %SYS namespace. Some of them are public (via % package), some not and should not be called by developers directly.

7 0
2 2,651
Pasi Leino · Apr 11, 2017
Authentication with REST

We are building a bunch of rest based services using Ens 2016.2 to serve our browser based application (Angular 4).

Two questions:

1. The initial authentication seems only work if credentials are placed in the url parameters. Trying to use the Authorization header instead, the client code immediately complains about Access-Control-Allow-Origin. How can I resolve this?

2. After initial authentication, what is the proper way to send subsequent rest calls without having to include credential every time?

2 7
0 2,263

Does anyone have any experience with getting, unfortunately, an older version of Cache to authenticate via SMTP to send email? I have verified that the settings are set up properly on the mailbox as I have successfully sent an email from a LAMP server, which comes from the same IP address.

If you have any thoughts, I would greatly appreciate it.

This is the error I receive

ERROR #6034: SMTP server connection failed during MAIL FROM command: <READ>zSend+105^%Net.SMTP.1.

0 6
0 2,106

If a user simply closes a tab (running a web application), is there any good way to ensure that the license is released AND the login cookie is destroyed?

I found that if the tab is simply closed without first logging out of the application, then 1) the license hangs around forever, and 2) if the user then opens a tab, he is already logged in.

1 5
0 1,545

Hello everyone,

I'm trying to authenticate a user(Health Share clinician) from a Java Application.

I 'm already connected to Caché and able to run SQL commands.

My question is: How can I authenticate a user using only SQL? In fact, what I want is verify if the users exists in the base and if the given password is the same used in Health Share.

There is a column 'password' in Security.users table but I'm not able to see its content, even so, I don't know which hash function to use to compare with.

1 7
0 1,482

Imagine that your .NET project uses the Caché DBMS and you need a fully-functional and reliable authorization system. Writing such a system from scratch would not make much sense, and you will clearly want to use something that already exists in .NET, e.g. ASP.NET Identity. By default, however, this framework supports only its native DBMS – MS SQL. Our task was to create an adaptor that would let us quickly and easily port Identity to the InterSystems Caché DBMS. This work resulted in creation of the ASP.NET Identity Caché Provider.

4 1
0 1,192

I am setting up a new Caché instance and I have managed to configure it where Caché username/password is required to initiate the Caché session:

csdfalsdkfjf@fra23e234sco:/opt/labmed/test/test81/proc$ csession cache1

Node: frxxco, Instance: CACHE1


I cannot find the setting in the management console that allows for unauthenticated login to a Caché session. Any help is much appreciated.

0 4
0 1,166

Is this available anywhere (for Health Connect)? I've found a few presentations but they are aimed at entry level.

We're looking at supporting more and more FHIR, REST plus OAuth interfaces in future. I've built some of this into older versions of HealthShare and Ensemble but it's desirable to move to supported versions.

We would be using Healthshare as a facade to other systems.

0 3
0 1,133

As many of you, our partners, are more widely using modern UI frameworks to create client front-end, you may have encountered a question, "So how do I secure my data when I just finished developing all new fancy browser based client experience?"

The answer is easy. Use a standard, proven OAuth2 and OpenID!

"OK, but how can I do it? I have never done it before."

No problem, just have a look here, if your client is Angular (not AngularJS) based, there is a demo project available for you to review and get inspired!

6 1
0 1,131
Dmitry Maslennikov · May 11, 2020 5m read
Work with SAML in IRIS

When a company is quite large and many different applications used by employees. But while those applications are mostly completely different, how to make it possible to not force users to enter credentials as many times as many applications they would like to use. The best way is to use SSO, so, it will be possible to have a portal, where users could launch any application used in a company. There are many different ways how to give access to your application by using the SSO mechanism, and some of them are:

  • OAuth2
  • Kerberos
  • SAML

InterSystems already supports OAuth2 and can be quite easily deal with Kerberos. But I would like to discuss about using SAML (Security Assertion Markup Language).

4 2
5 966

Hello community,

I have productions running in several different namespaces. They all use a common credentials ID for sending email, which is set up in only one of the namespaces. The documentation says that credentials are entered by namespace. When I ran a production in a second namespace, the error log said that credentials were not found (expected), but later attempts to send a file thorugh the production did successfully send an email. I'm wondering if Ensemble is able to look in other namespaces for the same credentials ID?

0 2
0 676

Hopefully this is a simple questions to respond to. Can you do Delegated Authentication for SOAP web service calls. I ask as I am not seeing this work as expected. I have this authentication turned on and enabled in for he CSP Web Application yet I keep getting a "Security Token could not be Authenticated. And a global I was setting to capture some of the available data is not being loaded.

0 1
0 655

Unless I'm mistaken, 2017.1 doesn't appear to support RFC 7523 (JSON Web Token Profile for OAuth 2.0 Client Authentication and Authorization Grants). Is that coming in 2017.2?

In order to support it in 2017.1, I'd have to override the OAuth 2.0 token endpoint to cater for the additional grant types - what's the best way to do this?


0 3
0 576

I've noticed that Management portal somehow manages to allow a single user to be in different namespaces in different tabs in the same application (i.e. Management Portal). I've looked at my Processes, however, and see that all of my processes using MgmtPortal think I'm in %SYS, even though 2 of them are looking at globals in two different namespaces; NamespaceA and NamespaceB.

I can even fool MgmtPortal because the first time I try to look at a global in NamespaceA it thinks I'm in %SYS! After a refresh, however, I can see the global in NamespaceA.

0 8
0 543

OAuth server to be deployed on the IRIS learning cloud platform. Clients - one on the other instance of the learning IRIS server, the other client locally on my computer in the container docker.

Both clients get a seemingly correct link (through ##class(%SYS.OAuth2.Authorization).GetAuthorizationCodeEndpoint()) to the login request form:

1 3
1 543

I am working on an ZAUTHENTICATE.mac to move us from local cache users to Delegated Authentication against LDAP.

I have created a user role within my instance of Ensemble that matches the AD Group that I will be assigning everyone in my group to. Is there a way to query the list of available Roles within Ensemble, and if one of my AD groups matches that role, set the role for that user?

How would I compare the AD Group against the Role listing?



0 10
0 499

Hi -

I know that when specifying Caché password rules (i.e. what constitutes a valid password definition) that the "Pattern Matching" logic is what is getting leveraged under the covers to enforce the "A Password Must conform to X" rule. I was hoping that people could share some more sophisticated pattern matching rules. (in particular, I was wondering what a rule that would require non-repeating mixture of letter, numbers, & punctuation of an overall minimal size)

1 3
0 490