Guides

Fallback Permission Retrieval via External API

Overview

When the Identity Provider (IdP) does not include permission metadata within the SAML assertion during user authentication, the z-PAX Login Service retrieves the required permission set from an external API.

This API, hosted by the integrator, is queried after SAML authentication to obtain the complete set of permissions associated with the authenticated user.

Architecture and Flow

  1. Following successful SAML authentication, z-PAX inspects the assertion for embedded permission metadata.
  2. If no permission metadata is present, z-PAX issues a server-to-server HTTP GET request to a designated endpoint provided by the integrator.
  3. The request includes the required query parameter userid, which uniquely identifies the user whose permissions are being requested.
  4. The integrator’s service responds with a JSON payload that enumerates the user’s permission set.
  5. z-PAX processes the returned permissions to enforce access controls and feature entitlements within its platform.

Endpoint Specification

  • HTTP Method: GET
  • Query Parameter:
    • userid (string, required) — Unique identifier for the user.

Response

  • Status Code: 200 OK on success
  • Content-Type: application/json
  • Body: JSON object containing a permissions array. Each entry defines permissions scoped by organizational code and access type.

Example JSON Response

{
  "permissions": [
    {
      "org_code": "lcca",
      "access_type": "FACILITY",
      "ccn": "123456",
      "is_admin": true,
      "activity_log_summary": true,
      "activity_log_details": true,
      "restrict_alert_snooze": false,
      "restrict_alert_resolution": false,
      "cmi_connect_access": true,
      "pdpm_connect_access": false,
      "rehab_connect_access": true,
      "custom_connect_access": true,
      "quality_connect_access": true
    },
    {
      "org_code": "lcca",
      "access_type": "SEGMENT",
      "region": "Southwest",
      "is_admin": false,
      "activity_log_summary": true,
      "activity_log_details": false,
      "restrict_alert_snooze": true,
      "restrict_alert_resolution": false,
      "cmi_connect_access": false,
      "pdpm_connect_access": true,
      "rehab_connect_access": false,
      "custom_connect_access": false,
      "quality_connect_access": true
    }
  ]
}

Considerations

  • All API communication must be secured using HTTPS.
  • Authentication and authorization between z-PAX and the integrator’s endpoint should be implemented using a mutually agreed-upon mechanism, such as OAuth tokens or API keys.