Pan-Canadian HALO Specification
HALO is a standardized “visual interactive framework” that would enable web applications to plug into their existing design.
Single Sign-On (SSO) is a key component within the HALO framework, enabling a seamless, secure, and efficient user experience across multiple healthcare applications. SSO centralizes the authentication process, allowing clinicians to log in once to access various applications without needing to re-authenticate each time they switch between systems. This unified access management approach improves both the user experience and security by reducing the reliance on multiple passwords and individual login events. By integrating SSO, HALO facilitates greater interoperability and workflow efficiency, allowing clinicians to engage with a range of healthcare resources within a single identity ecosystem. This integration aligns with modern identity management standards and enhances the security posture by enforcing consistent authentication practices across all HALO-connected applications.
There are several approaches to SSO that could work effectively within the HALO framework. The most common implementations, each with distinct benefits and considerations, are outlined below. These options provide flexible solutions, accommodating the varying infrastructure and identity management capabilities across different healthcare environments.
This approach uses Centralized Identity Registration, where clinicians register with a centralized identity provider and link their provincial account to their EMR. With Single Sign-On (SSO), clinicians can log in once and access multiple applications without needing to re-authenticate, allowing for unified access across systems and improved integration between applications. This setup is particularly suited for complex environments requiring coordinated identity management, as it enables clinicians to move across different HALO-connected apps seamlessly under a single, consistent user identity.
This approach leverages identity providers (IdPs) with OAuth 2.0 and OpenID Connect (OIDC) to streamline authentication across HALO-connected applications. Clinicians first log into their EMR with their local credentials, creating an initial session. Upon launching a HALO-connected app for the first time, they authenticate via the IdP, receiving an authorization code and access token. For subsequent app launches, if the IdP session is still active, clinicians are not prompted to re-authenticate. The app continues to use OAuth 2.0 and OIDC to obtain fresh authorization codes and access tokens as needed, while the active IdP session enables secure, seamless access without repeated logins.
For the HALO framework, it is recommend that the Federated Identity Sign-On approach is implemented wherever feasible. This method provides a streamlined, unified login experience by allowing clinicians to log in once with their centralized credentials, granting them access to both the PoC and connected SMART applications without repeated authentications. Such a fully federated system enhances usability, strengthens security, and aligns with modern identity management standards by leveraging central IdP capabilities. By simplifying access across applications, it reduces administrative overhead and offers a more consistent user experience.
However, not all jurisdictions or PoC vendors may have the infrastructure required to fully support a federated identity system. In these cases, the Local Login with Federated Sign-On approach remains an acceptable alternative. This hybrid model allows for local PoC authentication, while still supporting secure access to SMART apps and the SoFA via the centralized IdP, ensuring that HALO deployments can adapt to varying levels of infrastructure readiness across regions.