# Web Portal Integration

FibriCheck offers a web portal for healthcare professionals to manage patients who are performing measurements. It's possible to redirect users to a specific page within the portal without that user having to log in, using a pre-generated link that contains authentication information. 

Possible use cases for this feature are: 

* **Easy redirect** - redirect users from the patient record software directly to the correct page in the FibriCheck Portal, without the user having to log in.
* **Context Integration** - by using the URL, the FibriCheck Web Portal can be easily embedded in third-party software through an iframe.

{% embed url="<https://drive.google.com/file/d/1UljHj0pYqjwlydWRlEGlSszH10cbzsq7/view?usp=sharing>" %}

### Structure of the redirect URL

The image below shows the important parts of the redirect URL:

<figure><img src="https://550842036-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F1VHmKXYQVUzvBkU504K0%2Fuploads%2FlPAaSaNWKZf6QsZGHCXK%2Fdocs.fibricheck.com%20-%20Single%20Sign-On%20URL.png?alt=media&#x26;token=9cace0ef-062f-46ce-8511-65b7e6d10919" alt=""><figcaption><p>Example of a single sign-on redirect URL</p></figcaption></figure>

In the following URL, the parts that need to be replaced are indicated with curly brackets `{{ }}`:

```
https://pages.dev.fibricheck.com/consume_ssotoken/?ssoToken={{token}}&redirect=https%3A%2F%2Fpages.dev.fibricheck.com%2Fportal%2F%23%2Fpatients%2F{{userId}}%2Fdetails%2Foverview
```

### How to generate an SSO token?

<mark style="color:green;">`POST`</mark> `/auth/v2/oauth1/ssoTokens/generate`

Executing this endpoint will generate a single sign-on token for the authenticated user. The endpoint does not require a body.\
\&#xNAN;*<mark style="color:orange;">This endpoint requires being authenticated through an OAuth1.0 application.</mark>*

**Response**

{% tabs %}
{% tab title="200" %}

```json
{
    "userId": "6422a0d97db02e7197c8dfcf",
    "createdByApplicationId": "5811ccc246e0fb0006efdc8d",
    "ssoToken": "bc7a175f3e36b7a84aacfcf98428d1ed61d54800",
    "updateTimestamp": "2024-08-12T09:30:57.778Z",
    "creationTimestamp": "2024-08-12T09:30:57.778Z",
    "id": "66b9d651e18f465bbdf5ad7f"
}
```

{% endtab %}
{% endtabs %}

### Use correct credentials to generate an SSO token

An SSO token will always be generated for the authenticated user executing the API call. As a consequence, the generated token will have the same data access as the authenticated API user. In cases where a single third-party platform serves multiple organizations, it's important to use separate organization-specific credentials to generate the SSO token.

<figure><img src="https://550842036-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F1VHmKXYQVUzvBkU504K0%2Fuploads%2FjY4zHyBKDmjNoHpumJZx%2FWeb%20Portal%20Integration%20Credentials.png?alt=media&#x26;token=f302e26e-404b-4716-9770-100549cf26d0" alt=""><figcaption></figcaption></figure>

In FibriCheck, data from different organizations is scoped to different groups.

The *System Integration User* has access to all the data of all organizations using FibriCheck through the third-party platform. When an SSO token, generated using this *system integration account,* is shared with organization A, that token would also provide access to data of organization B in the FibriCheck portal.&#x20;

To avoid this, separate HCP users are typically created by FibriCheck that only have access to data of a single group. **Always use organization-specific HCP user credentials when generating SSO tokens** to ensure access is limited to a single group.