A precursor to any exchange between parties requires setting up a secure exchange via a registration process. This section covers the registration and authentication considerations for both requesting and responding payers.

61.2.2When You Are the Requesting Payer

61.2.2.1Creating SMART Server Definitions

SMART Server Definition configuration defines how your Smile CDR instance will authenticate and communicate with external FHIR servers, enabling secure Payer-to-Payer data exchange.

61.2.2.1.1Configuration Options

Choose a manual or automated process for creating the definitions:

Manually via Smile web admin console: Navigate to "Smart Outbound Security" "Server Definitions"
Programmatically via JSON admin API: The OpenID Connect Servers Endpoint allows for automated creation and management of server definitions, especially useful for deployments across multiple environments
Generating an OIDC pre-seed files: A pre-seed file allows you to define and configure OIDC servers programmatically. This is particularly useful for automating deployments, maintaining consistent configurations across environments, and version controlling your OIDC setup

61.2.2.1.2Key Configuration Fields

Field	Description	Example
Server Name	Identifier for the server definition	`p2p-server`
Source Issuer URL	The exact Issuer URL of the Source Payer's OIDC client	`https://source-payer.com/`
.well-known endpoint	Discovery endpoint for OIDC configuration	`{issuer.url}/.well-known/openid-configuration`
Request Scopes	Required scopes for access	`openid cdr_all_user_authorities`
Source FHIR Endpoint URL	Base URL of the external FHIR server	`https://source-payer.com/fhir`
Token URL	Service URL for code exchange	`https://source-payer.com/oauth/token`
Custom Token Parameters	Additional parameters	`Patient`
Response Type	Expected response format	`code id_token token`
Organization ID	Links OIDC server to internal Organization resource	`org-123`

61.2.2.1.3Authentication Configuration

Set up authentication parameters:

Authorization Base URL and Token Base URL: Endpoints for the authorization server
Authentication Method: Typically "Client Credentials" for backend services
Client ID: Provided by the external Identity Provider (IdP) for the P2P application
Public/Private Keys: Configure as per key management requirements
Scopes: Specify as required (e.g., openid, fhirUser, patient/*.read)
FHIR Endpoint: Base URL of the external FHIR server

61.2.2.2Using External Identity Servers

For customers who manage their authentication keys and processes within external Identity Provider (IdP) services (e.g., PingFed), Smile CDR's System-to-System (S2S) module provides a mechanism to integrate with these services.

This approach is particularly useful when:

Your organization has an existing, established IdP that manages user authentication and authorization
You need to leverage specific authentication flows or assertions provided by your external IdP
You want to centralize key management within your IdP and avoid duplicating it within Smile CDR

61.2.2.2.1Interceptors for External Token Retrieval

Interceptors in Smile CDR act as customizable hooks within the P2P request flow. Two key interceptor pointcuts are relevant:

P2P_RCV_MEMBER_MATCH_TOKEN_REQUEST: Invoked during the $member-match operation when a token is being requested.
P2P_RCV_EXPORT_TOKEN_REQUEST: Invoked during the $export operation when a token is being requested.

These interceptors receive inputs such as the S2S OIDC Server settings and the JWT Client Assertion.

61.2.2.2.2Logical Flow with External IdP

Initiate Request: Once a payer has captured consent from the member, the payer initiates an $invoke-export request with Smile.
Interceptor Invocation (Client Assertion): Smile CDR calls the interceptor to request a signed client assertion from the IdP.
Interceptor Invocation (Token Request): Smile CDR calls the token request interceptor to generate a custom token request.
Token Request to Source Server: The request is sent to the other payer's OAuth2 Server.
Access Token Generation and Storage: Upon successful validation, the access token is returned and stored by Smile CDR.

61.2.2.3Creating Organization Resources

As part of the registration process, payers should generate an HRex Organization resource to support:

Providing a list of supported payers to end users: Applications can query Organization resources to present a list for selecting another health insurance provider
Documenting the source of imported records via Provenance: The system-to-system module can add an Organization reference to the source payer
B2B registration workflows: Establishing business identity separate from technical credentials

61.2.3When You Are the Responding Payer

61.2.3.1Creating SMART Client Definitions

Creating a SMART Client Definition for the requester is a required step for responding payers.

61.2.3.1.1Configuration Options

Manually via Smile web admin console: Under Users & Authorization, create a new OIDC Client under the SMART_OUT module
Programmatically via JSON admin API: For automated deployments
Generating an OIDC pre-seed files: For consistent configurations across environments

61.2.3.1.2OIDC Client Configuration

Key configuration steps:

Set a client_id and configure authentication using Client JWT Authentication
Grant the following permissions:
- FHIR_OP_INITIATE_BULK_DATA_EXPORT
- FHIR_OP_MEMBER_MATCH
- FHIR_ALL_READ
- FHIR_ALL_WRITE
Save the OIDC Client configuration

61.2.4Authorizing Access

Two key considerations when designing the authorization layer:

Storing business identity: Consent is often linked to a business identifier, not a set of client credentials. Your system must be able to store a business identifier for the requesting payer that can be linked with credentials
Validating business identity: At the time of the request, an interceptor can cross reference the credentials against resources that validate authorization

61.2.4.1Single-Member Authorization via Consent

For responding payers supporting Patient-level $export flows:

Primary document linking requester to member's consent is the Consent resource sent as part of $member-match request
Smile's implementation stores this Consent resource and adds an extension linking it to a SMART Client Definition
In a callback script after successful authentication, the system can reference the Consent to:
- Ensure the member's Consent exists for the requester
- Ensure it is still valid (if an end date is defined)

61.2.4.2Multi-Member Authorization via Token Claims

For responding payers supporting Group-level $davinci-data-export flows:

A Group resource is the primary document linking a requester to member's opt-in
The token includes a claim declaring relevant business identifier(s) for the client
In a callback script after successful authentication, the system cross-references identifiers in the claim with "match" Groups

61.2.4.3Multi-Member Authorization via Organization

For FHIR-resource based design:

An Organization resource is created for the requesting payer at registration
Contains a reference to the SMART Client Definition in an extension
In a callback script, the system cross-references client credentials with linked Organization resources

61.2.4.4Business Identifier Methods

Two recommended methods for obtaining business identifiers during group creation:

61.2.4.4.1Method A: Retrieving from Authentication Claim

Process:

Client system authenticates with external IAM.
External IAM includes business identifier as claim within authentication token (e.g., JWT).
Smile CDR receives and trusts the token.
Callback script extracts business identifier from token claims.

Best Practice: This approach leverages existing security infrastructure and ensures the identifier is securely and dynamically passed with each request.

61.2.4.4.2Method B: Retrieving from Organization Resource Extension

Process:

Upon initial registration, an Organization resource is created for the client system.
An extension stores the business identifier (e.g., http://smilecdr.com/fhir/extensions/payer-business-id).
During group creation, callback script retrieves the value from the Organization resource.

Considerations: Useful if the business identifier is static and does not change frequently.

61.2.4.5Sample Callback Script

function onAuthenticateSuccess(theOutcome, theOutcomeFactory, theContext) {
    theOutcome.addUserData('business-id', 's2sBusId');
    return theOutcome;
}

Note: s2sBusId is a fixed value for demonstration. In reality, this will be a value either supplied by the external IAM or a lookup of an Organization resource.

61.2.5Configuration Considerations

To implement external IdP integration:

Deploy Interceptors: Ensure custom interceptor scripts are properly deployed within your Smile CDR environment
S2S OIDC Server Settings: Configure settings to point to your external IdP's endpoints (e.g., .well-known/jwks.json for JWKS-based authentication)
Client Registration: Ensure your Smile CDR instance is registered as a client with your external IdP
Refactor Token Request Code: Use OIDC libraries as appropriate within interceptor scripts

61.1 Configure Responding Payer 61.3 Execute P2P Exchanges