When integrating FHIR infrastructure into an environment with an existing SAML-based SSO solution, it may be useful to set up a SAML to SMART bridge.
In this architecture, SMART applications request authorization from a SMART Outbound Security module. The outbound security module then creates a new SAML authorization request and directs the user to the SAML IDP for authentication. The SAML IDP issues a SAML token back to the outbound security module, which then accepts the token and uses it to issue an OIDC Access Token.
From the point of view of the SAML IDP in this model, the Service Provider (i.e. the client requesting authorization) is the Smile CDR SMART Outbound Security module. The SAML IDP does not need to be aware of the existence of individual SMART Apps, which are managed in Smile CDR through the OIDC Client Definitions manager.
This flow is shown below.
To build a SAML to SMART bridge, a SMART Outbound Security module should be created, and the FHIR Endpoint module should be configured to use it for OIDC authentication.
In addition, a SAML Inbound Security module should be created and configured appropriately for your SAML IDP.
Finally, SAML Authentication Enabled should be set on your SMART Outbound Security module.