All services require a valid token from the IdP when called.
All services require TLS (version 1.2 or higher) for transport security.
In line with industry best practices the HIMSA IdP does not allow IFRAME based usage for any kind of user interactive authentication. An X-FRAME-OPTIONS HTTP header is always returned with the value ‘SameOrigin’.
...
Noah ES contains an Identity Provider that supports OAuth 2.0 and OpenId Connect. The Identity Provider (IdP) is used for Authentication.All services require a valid token from the IdP when called.
1. Request
Parameters that must be supplied:
URI and port number
QA environment: idp-qa.himsa-sso.com:443
Production: idp.noahhimsa-essso.com:443 (data residency is always EU in the Preview release)
ClientId: Supplied by HIMSA
Client secret: Supplied by HIMSA if required
Scope: openid profile noah.cloud.app.users.api
If relevant for your app and app registration allows: offline_access
Flow: Authorization Code + PKCE
RedirectURI: IdP will redirect the client to this after successful authentication, with tokens for accessing the API. You must inform HIMSA about this, because we need to whitelist it
Extra options
culture-lcid: Culture LCID code for localizing the website
...
URI and port number
QA environment: api.qa.eu.noah-es.com:443 (note: will also be available under himsa-sso.com after the Preview release)
EU Production: api.eu.noah-es.com:443
US Production: api.us.noah-es.com:443 (note: data residency is always EU in the Preview release)
HIMSA's .NET Client:
Either use the constructor that takes an access token or a refresh token as input
...
Note: This is done automatically if you are using HIMSA's .NET Client.
Only if relevant for your app and if app registration allows.
Logging off
In case a user only set up 1 account and that account is of type single sign-on, logging off will redirect the user directly to the login page. In that case it will not be possible to set up a different account.
We suggest to redirect to the account selection page of the IdP after successfully logging off. It is then important to include "forcechoose" in the query string (with any value).Lifetime of access tokens and refresh tokens varies depending on the client type and app type.
Refresh tokens are not enabled by default. However, it is possible to submit a support request for HIMSA to allow the use of refresh tokens for a specific app: https://himsanoah.atlassian.net/servicedesk/customer/portal/1/group/1/create/15