azuma doa
azuma doa is a comprehensive identity and access management (IAM) solution designed for modern digital health applications. It provides robust features specifically adapted to the health sector needs such as multi-tenancy, advanced authentication methods, and a roles and permissions system. This documentation outlines its key components, authentication methods, and integration steps to help you get started.
azuma doa consists of the following important components
- Identity Provider: Full service identity provider with Single-Sign-On (SSO), self-service flows and Multi-Factor-Authentication (MFA)/ Two-Factor-Authentication (2FA) support
- Tenant Management: Integrated configurable multi-tenancy support to implement one user account across single or multiple organizational domains with subtenants. (e.g. to reflect hospital structures)
- Advanced authentication methods: MFA with device binding enables the highest security standards for mobile authentication with a great user experience. (Supporting BSI TR-03161 compliance)
- Roles & Permissions System: Integrated roles & permissions setup applied on top of the tenant management solution including customer application roles & permissions
- License System: Integrated license assignment on tenant level.
Identity and tenant management
azuma doa implements a full identity provider/management system that can be easily integrated in your application. This includes
- Single tenants (most common scenario): Users belong to your tenant and are only available within your tenant.
- Multi tenant, multi hierarchy scenarios for complex organizations (and the hospital context): Users belonging to your organization are available within all tenants and sub-tenants.
Authentication methods
azuma doa implements a variety of authentication methods including the following:
Mobile: Device Binding
The device binding flow conforms to the BSI TR-03161 standard for digital health applications.
The device binding flow ensures device conformity and binding via
- Google Play Attestation/Integrity
- Apple App Attest
while supporting the following auth methods:
- Username/Password
- Email/Password
- Health-ID
More details for device binding can be found here.
Mobile/Web: Authorization Code Flow
azuma doa fully supports the OAuth 2.0 Authorization Code Flow as well as OpenID Connect (OIDC).
More details for can be found here.
API: Client Credentials flow
azuma doa fully supports the OAuth 2.0 Client Credentials Flow, which can be used for
- Backend to Backend authentication and authorization (via custom scopes)
- API authorization for the azuma doa admin API.
Clients for the Client Credentials flow can be created via azuma doa developer portal.
More details for can be found here.
Our roadmap includes Passkeys and Biometrics among other methods. If you are missing further important methods or have custom requirements, please don't hesitate to contact us.
Getting started
To start integrating with azuma doa and getting your development account, check out the Getting Started pages.
After the initial setup, please consider visiting:
BSI TR-03161 Conformity
azuma doa is built to meet the strictest security requirements for digital health applications. Our solution has been successfully integrated by customers who have passed the BSI TR-03161 audit process without any conditions. This ensures that your integration is based on a proven and compliant foundation for secure identity management in the healthcare sector.
Availability matrix
All mobile flows are currently only available in conjunction with Device Binding.
| Feature | Mobile | Web | Comment |
|---|---|---|---|
| BSI TR-03161 Compliance | ✅ | (*) | Web: see below |
| Authorization Code Flow (OIDC) | ✅ | ✅ | Mobile: via Browser or Token Exchange |
| Email/Password | ✅ | ✅ | |
| Username/Password | ✅ | ❌ | |
| ID | ✅ | ❌ | |
| Health-ID (mimoto) | ✅ | ✅ | |
| HIN (Health Info Net Switzerland (Digital Identity)) | ✅ | ✅ | Mobile: via Browser |
| SAML | ✅ | ✅ | Mobile: via Browser |
| Passkeys | ✅ | (*) | Web: see below |
| Biometrics | ✅ | ❌ | |
| Token Exchange (Google/Apple) | ✅ | ❌ |
(*) Please note that web support is not yet fully available for DiGA (conforming to BSI TR-03161) and will be finalized on request.
Infrastructural Environments & Links
TEST
- Main Url: https://pie.azuma-health.tech
- Dashboard Url: https://dashboard.pie.azuma-health.tech
- Swagger:
- OpenID Configuration: https://oidc.pie.azuma-health.tech/tenant/*tenant-id*/.well-known/openid-configuration
- Authorization Endpoint: https://oidc.pie.azuma-health.tech/tenant/*tenant-id*/oauth2/auth
- Token Endpoint: https://oidc.pie.azuma-health.tech/tenant/*tenant-id*/oauth2/token
- JWKS Endpoint: https://oidc.pie.azuma-health.tech/tenant/*tenant-id*/.well-known/jwks.json
PROD
- Main Url: https://azuma-health.tech
- Dashboard Url: https://dashboard.azuma-health.tech
- Swagger:
- OpenID Configuration: https://oidc.azuma-health.tech/tenant/*tenant-id*/.well-known/openid-configuration
- Authorization Endpoint: https://oidc.azuma-health.tech/tenant/*tenant-id*/oauth2/auth
- Token Endpoint: https://oidc.azuma-health.tech/tenant/*tenant-id*/oauth2/token
- JWKS Endpoint: https://oidc.azuma-health.tech/tenant/*tenant-id*/.well-known/jwks.json