Using the Duo API Integration

Multi-Factor Authentication User Guide

Using the TOTP API Integration

After invoking the /users/_login endpoint, you will receive a payload like this: <com.mirth.connect.plugins.mfa.model.MfaLoginStatus> ... <primaryStatus>SUCCESS</primaryStatus></com.mirth.connect.plugins.mfa.model.MfaLoginStatus> Take note of primaryStatus, which lets you know whether primary authentication (username and password) succeeded. You should only proceed if the primary status is SUCCESS or SUCCESS_GRACE_PERIOD. Generate a new verification code by using the secret key you previously stored. Call the /users/_login endpoint again. On this second leg of authentication, only the username is required, not the password. Concatenate the username, primary status, and verification code with colons (":"). Then send the string as a custom header, X-Mirth-Login-Data. If the login call was successful, the server returns a JSESSIONID cookie for you to use on subsequent requests. Once you no longer need the session, call the /users/_logout endpoint to clear the session data on the server. P

Multi-Factor Authentication User Guide

Using the Duo Universal API Integration

Note: You must use Mirth® Connect 4.5.0 or higher with Duo Universal. Note: Instructions on working with the DUO Administrator are available at https://duo.com/docs/duoweb#detailed-sdk-workflow. First Call The first call posts to the /users/_login endpoint in order to get authorization. To authenticate the Duo Administrator, it is necessary to provide a X-Mirth-Server-Url header containing the Mirth server URL. After invoking the /users/_login endpoint, you will receive a payload that looks, for example, like this:<com.mirth.connect.plugins.mfa.model.DuoLoginStatus> .... <primaryStatus>SUCCESS</primaryStatus> <apiHostname>api-ff51bcf3.duosecurity.com</apiHostname> <authURL>https://api-ff51bcf3.duosecurity.com/oauth/v1/authorize?scope=openid&response_type=code&redirect_uri=https://localhost:8443/api/4.5.0/extensions/mfa/duocallback&client_id=DIZ4Q0FEZGOK8ZVOWN2O&request=eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJkdW9fdW5hbWUiOiJ0ZXN0MSIsInNjb3BlIjoib3BlbmlkIiwicmVzcG9uc2Vfd

Multi-Factor Authentication User Guide

Client API Integrations

If you have built any custom integrations that use the REST API and require automatic, programmatic access, most likely you will want to exclude the user tied with the integration from MFA. No additional development is needed. See Excluding Users from MFA. If your custom integration still interacts with the user, you can elect to handle the multifactor signatures and codes manually. Because of the nature of multifactor authentication, Basic HTTP Auth is not supported when MFA is enabled. Instead invoke the /users/_login and /users/_logout endpoints to perform session-based auth. Using the TOTP API Integration Using the TOTP API integration. Using the Duo API Integration Using the Duo Universal API Integration Using the Duo Universal API integration Parent topic: Limitations of MFA

Mirth® Connect by NextGen Healthcare User Guide

Authentication

Mirth® Connect supports both session-based cookie authentication and basic authentication. Basic Authentication: Simply include an Authorization header on all API requests, with basic credentials. Example (for admin/admin): Authorization: Basic YWRtaW46YWRtaW4= Session-Based Authentication: First, invoke the POST /users/_login endpoint, passing in your login credentials. If successful, the server will respond with a cookie (Set-Cookie header) like the following: Set-Cookie: JSESSIONID=uysqrtx9lle36ernybizstps;Path=/api;Secure Invoke the actual API endpoints of your choice, passing in the same cookie as a header: Cookie: JSESSIONID=uysqrtx9lle36ernybizstps;Path=/api;Secure Once you are done, make sure to call the POST /users/_logout endpoint, making sure to pass in the same cookie. Session-based Authentication is preferred since you only need to transmit your login credentials once. Note that the API documentation page invokes the same endpoint automatically when you login at the top: I

Multi-Factor Authentication User Guide

Configure Duo Integration Settings

Log on to the Mirth® Connect by NextGen Healthcare Administrator, and open the Settings view: Selecting the Settings View Select the MFA settings tab to view the current Multi-Factor Authentication Settings. Next to Enabled, select Yes to enable MFA. Next to MFA Type, select Duo. Copy the Client ID, Client Secret, and API Hostname from the Duo Admin Panel. Copying Values from the Duo Admin Panel When you are done, select the Save task on the left-hand side to save changes. Parent topic: Using Duo Multi-Factor Authentication

Mirth® Connect by NextGen Healthcare User Guide

Mirth® Connect REST API

The Administrator and Command Line Interface both use a well-defined API to communicate with the Mirth® Connect server. You can also use the same API to create custom integrations of your own. The API is documented at https://localhost:8443/api (change the IP / port as needed), or you can select View Client API in Administrator via Other Tasks: Select the View Client API action to open the API documentation in your default browser. Note: You may see a warning in your browser if your Mirth® Connect instance is still using the auto-generated self-signed certificate. You can select Advanced and allow the browser to continue to the page. To resolve this warning, look at Application Data Directory for instructions on installing your own certificate. Select the arrow button on one of the endpoint group rows to view its operations. This list shows the operation's HTTP method type, request URL, and a description for each endpoint. Select on one of the endpoint rows to view its details. If desi

Using the Duo API Integration

Recommendations

Using the TOTP API Integration

Using the Duo Universal API Integration

Client API Integrations

Authentication

Configure Duo Integration Settings

Mirth® Connect REST API

Using the TOTP API Integration

Using the Duo Universal API Integration

Client API Integrations

Authentication

Configure Duo Integration Settings

Mirth® Connect REST API