Authentication

Mirth® Connect by NextGen Healthcare User Guide

Mirth® Connect REST API

The Administrator and Command Line Interface both use a well-defined API to communicate with the Mirth® Connect server. You can also use the same API to create custom integrations of your own. The API is documented at https://localhost:8443/api (change the IP / port as needed), or you can select View Client API in Administrator via Other Tasks: Select the View Client API action to open the API documentation in your default browser. Note: You may see a warning in your browser if your Mirth® Connect instance is still using the auto-generated self-signed certificate. You can select Advanced and allow the browser to continue to the page. To resolve this warning, look at Application Data Directory for instructions on installing your own certificate. Select the arrow button on one of the endpoint group rows to view its operations. This list shows the operation's HTTP method type, request URL, and a description for each endpoint. Select on one of the endpoint rows to view its details. If desi

Multi-Factor Authentication User Guide

Using the TOTP API Integration

After invoking the /users/_login endpoint, you will receive a payload like this: <com.mirth.connect.plugins.mfa.model.MfaLoginStatus> ... <primaryStatus>SUCCESS</primaryStatus></com.mirth.connect.plugins.mfa.model.MfaLoginStatus> Take note of primaryStatus, which lets you know whether primary authentication (username and password) succeeded. You should only proceed if the primary status is SUCCESS or SUCCESS_GRACE_PERIOD. Generate a new verification code by using the secret key you previously stored. Call the /users/_login endpoint again. On this second leg of authentication, only the username is required, not the password. Concatenate the username, primary status, and verification code with colons (":"). Then send the string as a custom header, X-Mirth-Login-Data. If the login call was successful, the server returns a JSESSIONID cookie for you to use on subsequent requests. Once you no longer need the session, call the /users/_logout endpoint to clear the session data on the server. P

Multi-Factor Authentication User Guide

Using the Duo Universal API Integration

Note: You must use Mirth® Connect 4.5.0 or higher with Duo Universal. Note: Instructions on working with the DUO Administrator are available at https://duo.com/docs/duoweb#detailed-sdk-workflow. First Call The first call posts to the /users/_login endpoint in order to get authorization. To authenticate the Duo Administrator, it is necessary to provide a X-Mirth-Server-Url header containing the Mirth server URL. After invoking the /users/_login endpoint, you will receive a payload that looks, for example, like this:<com.mirth.connect.plugins.mfa.model.DuoLoginStatus> .... <primaryStatus>SUCCESS</primaryStatus> <apiHostname>api-ff51bcf3.duosecurity.com</apiHostname> <authURL>https://api-ff51bcf3.duosecurity.com/oauth/v1/authorize?scope=openid&response_type=code&redirect_uri=https://localhost:8443/api/4.5.0/extensions/mfa/duocallback&client_id=DIZ4Q0FEZGOK8ZVOWN2O&request=eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJkdW9fdW5hbWUiOiJ0ZXN0MSIsInNjb3BlIjoib3BlbmlkIiwicmVzcG9uc2Vfd

Multi-Factor Authentication User Guide

Using the Duo API Integration

After invoking the /users/_login endpoint, you will receive a payload like this: <com.mirth.connect.plugins.mfa.model.DuoLoginStatus> ... <primaryStatus>SUCCESS</primaryStatus> <apiHostname>api-f9248ffb.duosecurity.com</apiHostname> <signedRequest>TX|...:APP|...</signedRequest></com.mirth.connect.plugins.mfa.model.DuoLoginStatus> Take note of the primaryStatus, which lets you know whether primary authentication (username and password) succeeded. You should only proceed if the primary status is SUCCESS or SUCCESS_GRACE_PERIOD. Note the apiHostname and signedRequest, as those will be passed into the Duo iframe. The next step is to show the Duo iframe to the user, and retrieve the signed response string. Instructions are here: https://duo.com/docs/duoweb. After you retrieve the signed response string, call the /users/_login endpoint again. On this second leg of authentication, only the username is required, not the password. Concatenate the username, primary status, and signed response wi

Mirth® Connect by NextGen Healthcare User Guide

JavaScript HTTP Authentication

Allows you to authenticate users with a custom JavaScript script. With this script you have access to source map variables, and can choose whether to send a challenged or failure response back to the client. The default script simply allows all requests to pass. The Script field will show <Default Script Set> if the default script is currently being used. If you have made any modification to the script, the Script field will show <Custom Script Set>. Select the Script field to edit the JavaScript: This script expects either a boolean ( true to accept the request, false to send back a failure response) or an AuthenticationResult object to be returned (for additional information, see User API) . There are three types of results you can return: AuthenticationResult.Success(): The request will be accepted and processed through the channel. AuthenticationResult.Challenged(authenticateHeader): The request will not be processed through the channel. A 401 response will be sent back to the clie

Multi-Factor Authentication User Guide

Client API Integrations

If you have built any custom integrations that use the REST API and require automatic, programmatic access, most likely you will want to exclude the user tied with the integration from MFA. No additional development is needed. See Excluding Users from MFA. If your custom integration still interacts with the user, you can elect to handle the multifactor signatures and codes manually. Because of the nature of multifactor authentication, Basic HTTP Auth is not supported when MFA is enabled. Instead invoke the /users/_login and /users/_logout endpoints to perform session-based auth. Using the TOTP API Integration Using the TOTP API integration. Using the Duo API Integration Using the Duo Universal API Integration Using the Duo Universal API integration Parent topic: Limitations of MFA

Authentication

Recommendations

Mirth® Connect REST API

Using the TOTP API Integration

Using the Duo Universal API Integration

Using the Duo API Integration

JavaScript HTTP Authentication

Client API Integrations

Authentication

Mirth® Connect REST API

Using the TOTP API Integration

Using the Duo Universal API Integration

Using the Duo API Integration

JavaScript HTTP Authentication

Client API Integrations