This problem affects the following products:
- HealthShare Personal Community 2020.1, 2020.2, 2021.2
Personal Community's external credentials feature allows Personal Community to integrate with an external identity provider (IdP) over OAuth 2.0.
Prior to going live with the external credentials, organizations should evaluate the following default workflow for Personal Community:
- Patient selects the “Sign-in with IdP” button, is redirected to the IdP to authenticate, and accesses Personal Community.
- After using the Personal Community application, the patient signs out of Personal Community.
- Without closing the browser, the patient immediately selects the “Sign-in with IdP” button again.
Because the patient has an active session accessible from the IdP, they are not prompted to authenticate again and are able to access Personal Community.
Some sites may wish to enforce that a patient is always prompted to authenticate with the IdP when they select the “Sign-in with IdP” button in Personal Community.
Provided the IdP supports this, this can be enforced by adding ?prompt=login to the end of the authorization endpoint. This can be updated in the Personal Community Management Portal by navigating to System Administration > Security > OAuth2.0 > Client and selecting the Issuer Endpoint for this connection.
If you have any questions regarding this advisory, please contact the Worldwide Response Center (WRC) and refer to HSPC-12755.