Ontoserver, Atomio and the client applications Shrimp, Snapper and OntoCommand all share a common security model based in OAuth 2.0 and SMART on FHIR. Any capable OAuth 2.0 authorisation server should be able mediate authorisation by issuing signed tokens with appropriate content.

Deployments of Ontoserver can reuse existing authorisation services if compatible, however if such services not available or not sufficiently configurable Ontocloak is able to provide a cloud or on premises capable authorisation server tested with Ontoserver and Atomio. As a central authorisation server for a deployment it provides a central place to manage authorisation for users accessing Ontoserver and Atomio instances in the solution, while also able to externalise identity and authentication to Open ID Connect or SAML sources.

Ontocloak is developed as a wrapper around Keycloak, an open source authorisation server. Operation and configuration of Ontocloak is largely the same as documented for Keycloak, with the addition of features to:

  • Aid creation and management of “communities” and appropriate token claims aligning to Ontoserver’s and Atomio’s resource level security features
  • Optionally require users to accept terms of agreements prior to being granted access.

Ontocloak is not a necessary component of a solution, alternative authorisation servers can be used or a deployment can use no security at all (if that is appropriate). However if attempting authorisation with Ontoserver and Atomio (particularly resource level authorisation features of both products) Ontocloak is recommended as a known working solution with documented and tested configuration.

Whilst it can manage identities and authentication for uses, Ontocloak is intended to be used with an organisation’s existing OpenID Connect or SAML identity providers to achieve identity and authentication. Ontocloak can then configure the appropriate level of access for those identities to Ontoserver and/or Atomio endpoints, and enable the SMART on FHIR authorisation flow for other clients such as Snapper, Shrimp and OntoCommand.

Ontocloak can also be configured to integrate with additional external SAML or OpenID Connect identity providers, or to federate identities from a Kerberos or Active Directory/LDAP source.

If authorisation is required in the solution, Ontocloak is recommended as it simplifies configuration. It adds authentication to applications and secure services with minimum fuss and means that there is no need to deal with storing or authenticating users