Configure Interaction

To enable the Cloud Payer To Payer service to authorize your current and former members and to pull your former members' data, the service needs to have access to your authorization server and know how to find data of a specific member on your FHIR server. This help topic describes configurations you have to share with the Cloud Payer To Payer service to let the service interact with your system.

Prerequisites:

  • Register the Cloud Payer To Payer service with your authorization server as a confidential client, issue the client ID and the secret key, and specify permissions (scopes) that the Cloud Payer To Payer service is granted when accessing member data (for example, user/*.read). If you use Edifecs XES Module for FHIR, refer to this help topic for more information on FHIR OAuth 2.0 scopes.

    • To find the redirect URL of the Cloud Payer To Payer service needed for client registration, go to the Organization Profile page > Organization Integration Settings section > CP2P Redirect URL. If you use Edifecs XEConnect Authorization Service, review this help section to learn how to create and configure authorization clients.

  • Obtain the URL where your identify provider settings (metadata) can be accessed (for example, https://{openid-provider-address}/.well-known/openid-configuration). These settings (such as the authorization endpoint URL, supported response types, supported scopes, and so on) are required for your current and former members' authentication.
  • In your member identify provider, create a test member account (if you do not have one). You will need these credentials to establish a test connection to your FHIR server endpoint and to access the member application to check its functionality.

To share configurations with the service:

  1. Go to the Organization Profile page > Organization Endpoint section, and click Add Endpoint Details.
  2. In the Edit Endpoints dialog, specify the following:

    3. Authorization Server Details

    • OIDC Metadata Url: The endpoint URL where your identity provider's OpenID settings are available (see prerequisites).
    • CP2P Client ID: The client ID given to the client that you have registered with your authorization server (see prerequisites).
    • CP2P Secret Key: The client secret generated by your authorization server when you registered the client (see prerequisites).
    • Scope: The set of permissions you specified when you registered the service as a client (see prerequisites).

    FHIR User ID

    To request information about a specific member from your FHIR server, the service needs to know the unique FHIR ID of this member. This ID must be passed to the service by your identity provider as a claim within the JWT access token after the member is authenticated.

    • In Claim Location, select where the claim that carries the FHIR user ID will be passed (in ID Token or Token Response).
    • In Claim Name, specify the name of a claim that carries the FHIR user ID (for example, fhirUser).

    PKCE

    Cloud Payer To Payer supports Proof Key for Code Exchange (PKCE) to prevent authorization code injection attacks and cross-site request forgery. If you want to enable PKCE for the CP2P client's authorization and your authorization server supports this functionality, select Use PKCE.

    FHIR Server

    • Fhir Server Patient URI Template: The URL template that the Cloud Payer To Payer service will use to request data of a specific member from your FHIR server (for example, https://myhealthplan.com/fhir/R4/{fhirUser}).

    Additional Headers

    If your FHIR Server endpoint requires specific headers to be present in HTTP requests, click Add Header and provide keys and values for headers to be included in the CP2P client's requests. If the CP2P client must pass its client ID and/or secret key in headers, you can specify these values as the {clientId} and {secretId} macros.

  3. Click Save.

Test the endpoint connection

To make sure that the Cloud Payer To Payer service is able to connect to your FHIR endpoint and pass the authorization at your authorization server, you can test the connection throught the Cloud Payer To Payer service.

  1. On the Organization Profile page, in the Organization Endpoint section where you provided your endpoint configurations, click Test Connection.
  2. Enter credentials of your test member (see prerequisites) to get access to your FHIR server endpoint through your authorization server and click Login.
  3. Review the allowed application permissions (scopes) and click Agree.

If you specified your configurations correctly, you will see a message that the connection has been verified. Edifecs recommend that you make this connectivity test each time you edit configurations.