DHIS integration with external user handling

Hey,

We are using DHIS2 as a backend for our infection tracking system. Currently, all user data is owned by our DHIS2 instance, together with user roles for authorization, as well as org units. However, we are looking to expand into other services that might depend on the user entity, and as such we want to extract the core “user” concept out of DHIS2 and into a separate service.

I have seen that both LDAP and OpenID can be used for authentication with DHIS2, but could not find any examples of integrating any type of authorization (not even accommodating LDAP authorization).

What currently seems to me like the best approach is to create some sort of adapter that uses the API endpoints in DHIS2 to propagate authorization information from the user service. However, I would love some input and thought on my problem, as well as my approach.

Hi Øystein!

We don’t quite support this use-case, if I understand your requirements correct.
I know that, for example, KS uses their own external central identity/userinfo provider and uses the OpenID connect authentication support in DHIS2 to authenticate the users.
LDAP is a simpler alternative, you would only need to set up a LDAP server, migrate all users(username&password) from your DHIS2 instance and connect the LDAP server to DHIS2. Then you can use the LDAP server as your central user store, if you need more than pure authentication, say like get properties from the DHIS2 user object, their roles etc. you would have problem, since the LDAP usually only contains the username and password.

If you want to have a chat about this, you are more than welcome to contact me on email or slack.
If you have access to the DHIS2 Slack, I’m “@Morten Svanæs” there.
My email is msvanaes@dhis2.org

2 Likes

@blixhavn A “cloud-native” approach would be to set up DHIS 2 with OpenID Connect (added in version 2.35) with Azure AD or Google Identity. See docs here:

https://docs.dhis2.org/en/manage/performing-system-administration/dhis-core-version-236/installation.html#install_oidc_configuration

That would give you an enterprise-ready identity platform which you could integrate with your other services.

best regards,

Lars