Guides
Start typing to search…
  1. Guides
  2. IAS

Integration and Setup

Before using IAS in production, your organization must complete identity integration and validate your configuration in sandbox. Proper setup ensures that identity tokens are validated correctly and that eligibility requirements are enforced before retrieval begins.

Prerequisites

To implement IAS, your organization must have:

  • Active sandbox and production tenants with Health Gorilla
  • An agreement with an approved Credential Service Provider (CSP)
  • OAuth 2.0 client credentials for your sandbox and production environments
  • Secure server side infrastructure for token validation and storage
  • An existing Patient resource in your tenant for each person whose records will be retrieved

Identity verification and token issuance must occur before retrieval is initiated.

Identity Integration

IAS uses a signed identity token issued by an approved CSP.

Your system must:

  • Initiate identity proofing with the CSP
  • Obtain a signed identity token upon successful verification
  • Validate the token server side before submitting a retrieval request

IAS validates that demographic attributes in the identity token match the demographics stored in the tenant Patient resource. If the token demographics do not match the stored Patient record, retrieval is rejected.

If token validation fails, retrieval is rejected.

OAuth Configuration

IAS requires OAuth 2.0 authentication for all API calls.

Your organization must:

  • Be provisioned with a client ID and client secret for sandbox
  • Be provisioned with a separate client ID and client secret for production
  • Securely store client credentials in a protected server side location
  • Ensure credentials are never exposed in client side code
  • Maintain strict separation between sandbox and production credentials

CSP Configuration

IAS relies on identity tokens issued by an approved CSP.

Your organization must:

  • Complete required CSP onboarding and configuration
  • Validate token issuer (iss) and audience (aud) claims
  • Retrieve and validate CSP public keys from the CSP JSON Web Key Set (JWKS) endpoint
  • Implement key refresh logic to account for CSP key rotation

Any mismatch between expected issuer values, audience values, or token claims results in validation failure.

Environment Validation

Before enabling production workflows, validate IAS in sandbox.

Your organization should:

  • Create or identify a test person in your sandbox tenant
  • Complete identity verification with your CSP
  • Obtain a valid IAS token
  • Submit retrieval requests using the token
  • Confirm status transitions and result retrieval
  • Verify audit correlation and logging

Promote configuration to production only after sandbox validation is complete.

Correlation and Logging

IAS workflows involve multiple systems, including your system, the CSP, Health Gorilla, and exchange participants.

To support traceability, your system should:

  • Generate a unique correlation identifier for each IAS workflow
  • Persist identifiers returned by Health Gorilla
  • Log token issuance timestamps and expiration values
  • Maintain clear separation between sandbox and production logs

Strong correlation practices reduce investigation time and support audit readiness.

Operational Readiness

Before going live, confirm that:

  • Retry logic is implemented for transient failures
  • Token expiration handling is tested
  • Rate limit handling (429) is validated, if applicable
  • Monitoring and alerting are configured
  • Runbooks exist for expired tokens, no match outcomes, and network failures

Proper setup reduces the risk of retrieval failures and compliance issues in production environments.

Updated 20 days ago