Skip to end of metadata
Go to start of metadata


Description: This workflow describes how the IL will provide a mechanism to allow single-sign-on (SSO) to be enables for the user of the management application for the HIE registries (Note: This does not include user from the PoS applications, these application will be responsible for managing their users locally).

Sponsor:  Ryan Crichton, with the IL community

Status:  proposed

Last Modified:  19/02/2014

Referenced Standards and APIs:


  • MoH - This actor represents the authority that controls access to the HIE. This is likely a Ministry of Health or a Department of Health.
  • User - a user of the management application in question
  • Some management application - an application that manages one of the registries that make up the HIE
  • IL - the interoperability layer that provides the SSO service


Open Questions

  • Do the management applications control their own user authorisation lists or should this be something that the IL does?

Technical details


RefInteractionEndpointDataTransaction Specification
1Determines that the user should have access to manage a registry policy 
2Registers the user with the IL via the web UI The users details (email, name, department, job title)Via the Web UI
3Send an email allowing them to complete registration and set a password A registration linkemail
4User visits the management application to login  OpenID authentication request
5The application redirects the user to the IL to login  OpenID authentication request
6The user logs into using the IL  OpenID authentication response
7The IL redirects the user back to the management application with a claimed identity  OpenID authentication response
8The uses accesses the managment application using the claimed identity  OpenID verifing assertions