Identity Continuity for Epic EHR
TL;DR Strata Maverics sits between Epic and your identity providers, so Epic never has to change when they do. Microsoft Entra ID runs as primary. Keycloak runs as a warm secondary. Failover takes seconds.
Identity Continuity for Epic EHR
TL;DR Strata Maverics sits between Epic and your identity providers, so Epic never has to change when they do. Microsoft Entra ID runs as primary. Keycloak runs as a warm secondary. Failover takes seconds. Clinical sessions and backend JWT integrations keep working, even in DDIL environments.
Key points
▸ Identity is uptime for Epic. Epic delegates every login to an identity provider. When that provider fails, clinical work stops.
▸ Identity orchestration decouples Epic from any single identity provider. Maverics fronts Epic’s authorize, token, and JWKS endpoints. Epic is registered once and never reconfigured.
▸ Health-check-driven active/standby failover. The Maverics Orchestrator polls each identity provider’s discovery endpoint on a configured interval and routes new logins to the first healthy connector in the ordered list.
▸ Both Epic flows are covered. SMART on FHIR launches for clinicians and patients, plus client_credentials with signed JWT for backend services and bulk FHIR.
▸ Air-gap-ready for edge and disconnected care. Runs on-prem, at the edge, or air-gapped for field hospitals, rural clinics, and tactical deployments in for Disconnected Mode support.
▸ Security properties stay intact. PKCE end-to-end, RS256 or ES256 JWT assertions, Conditional Access in steady state, auditable break-glass during failover.
In a hospital, identity is uptime. Epic is the clinical system of record, but Epic does not authenticate users. It delegates every login to an identity provider over OAuth 2.0 and OpenID Connect. When that provider has a bad day, Epic has a bad day.
THE IDEA Identity continuity keeps Epic users authenticated during an identity provider outage, migration, or policy change, without reconfiguring Epic.
The architecture at a glance
Strata Maverics sits in front of Epic’s OAuth 2.0 and SMART on FHIR flows as a single identity orchestration layer. Epic is registered with exactly one client and one JWKS, both owned by Maverics. Epic never learns about the identity providers behind it.
In this example we’ll look at Epic access protected by Microsoft Entra ID, but this could be any modern IdP like Okta or Ping as well. Behind Maverics, Entra ID runs as the primary identity provider and Keycloak runs as a warm secondary. Maverics continuously health-checks both. When Entra ID is healthy, every Epic login lands on Entra ID. When Entra degrades, Maverics fails over to Keycloak in seconds. User attributes, the fhirUser claim, and the SMART launch context stay the same.
Epic’s two OAuth 2.0 flows, and why both matter
Epic exposes two OAuth 2.0 patterns. A credible continuity story has to cover both, because a failure in either one breaks clinical operations.
1. SMART on FHIR user launch
Used whenever a clinician opens an app from Epic Hyperspace or a patient logs in through MyChart. The browser is redirected to Epic’s authorize endpoint, which in this design is fronted by Maverics via the SMART configuration at /.well-known/smart-configuration. Epic hands Maverics the launch token and patient context. Maverics proxies authentication to Entra, or to Keycloak on failover, then returns an authorization code to Epic.
The access token Epic consumes is minted by Maverics with normalized SMART claims: fhirUser, patient, encounter, and scope. Epic sees Maverics, not the identity provider.
2. Backend services (client_credentials with signed JWT)
Used for system to system integrations: analytics pipelines, population-health exports, bulk FHIR. The calling system signs a JWT with a private key and presents it to the token endpoint with grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer. Epic trusts the Maverics JWKS. Maverics verifies the caller’s JWT, applies policy, and issues a service token usable against Epic’s FHIR R4 APIs.
Backend services never change, even if the upstream identity provider does. That is the point.
The failover sequence
#
Step
What the Orchestrator does
1
Health check
Polls each connector’s well-known discovery endpoint on the configured interval (30s to 60s in production). An unreachable endpoint or an error response counts as a failure.
2
Detect
Marks Entra unhealthy after unhealthyThreshold consecutive failed checks (default 3). Failure is proactive: the decision is made before the next login arrives.
3
Route
The Continuity connector skips unhealthy entries in failover.idps and routes new authorize requests to the next healthy connector, which in this design is Keycloak.
4
Normalize
The Schema Abstraction Layer maps Keycloak claims (email, name, role, fhirUser) to the same normalized attribute names Epic already consumes, so downstream apps see no change.
5
Recover
When Entra passes healthyThreshold consecutive successful checks (default 2 to 3), it is marked healthy again and new logins route back to Entra as the primary.
FOR EPIC Epic sees none of this. Epic is registered once with Maverics. The Continuity Strategy decides, on every authorize request, which identity provider is currently healthy.
What Epic is configured with
Epic registration is simple and immutable. Through Epic Showroom (the partner portal that replaced App Orchard) we register one production client and upload one JWKS URL, both owned by Maverics. That single registration covers the SMART user flow and the backend services JWT flow. Rotating keys, adding identity providers, or changing the failover policy are all Maverics-side operations.
Epic config item
Value
Client ID (production)
Issued by Epic once, owned by Maverics
Redirect URI
https://maverics.example.com/epic/smart/callback
JWKS URL
https://maverics.example.com/.well-known/jwks.json
SMART configuration URL
https://maverics.example.com/.well-known/smart-configuration
Scopes
launch, openid, fhirUser, patient/*.read, user/*.*
Backend assertion audience
https://maverics.example.com/oauth2/token
Security properties we preserve
PKCE is preserved end-to-end for SMART launches. Epic’s code_challenge flows through Maverics to the identity provider. JWT assertions for backend services use RS256 or ES256 per Epic’s guidance, with iss, sub, aud, exp, and jti claims, and aud bound to the Maverics token endpoint. Entra Conditional Access policies continue to evaluate during normal operation. During failover to Keycloak, Maverics applies a defined break-glass policy and writes the deviation to audit.
Failover is not a bypass. It is a planned, attested, time-bounded deviation, with every event written to your audit trail.
Identity continuity in disconnected environments
Not every Epic deployment is a stable data center with a fat pipe to Azure. Field hospitals, forward-operating medical units, rural clinics, and disaster-response sites operate in DDIL conditions: Denied, Disrupted, Intermittent, and Limited. Cloud authentication cannot be assumed.
Maverics is built for this. The orchestrator runs on-prem, at the edge, or air-gapped, and the Identity Continuity failover policy treats loss of WAN to Entra as just another failover trigger. During a disconnected window, clinicians authenticate against a local Keycloak realm with pre-staged credentials and policy. When connectivity returns, Maverics reconciles state, re-binds sessions to Entra, and writes the deviation window to audit.
What’s next
SMART on FHIR and backend services are the modern surface, but Epic is a much bigger identity footprint than that. Hyperdrive and Hyperspace authenticate clinicians over SAML or WS-Fed. Haiku, Canto, and Rover push the same flow to mobile. MyChart runs its own OIDC trust for patients. EpicCare Link federates to partner identity providers. Interconnect, Bridges, and Caboodle lean on directory-bound service accounts. Each one fails independently, and each one belongs in a similar Continuity Strategy.
The next posts in this series extend the pattern across the Epic ecosystem: Hyperdrive SAML continuity to Entra and AD FS, MyChart patient OIDC failover, EpicCare Link partner federation, and directory continuity for the service accounts behind Interconnect. Same Maverics Orchestrator, same health-check model, one identity fabric for all of Epic.
LET’S TALK Want to see identity continuity running against your Epic instance? Schedule a demo at https://strata.io
Frequently asked questions
What is identity continuity for Epic EHR?
Identity continuity is the ability to keep authenticating Epic users (clinicians, patients, and backend systems) through OAuth 2.0 and SMART on FHIR, even when the underlying identity provider is degraded, migrating, or unreachable. Strata Maverics delivers this by sitting between Epic and the identity provider as an identity orchestration layer.
Does this work for both SMART on FHIR and backend services?
Yes. Maverics fronts Epic’s user-facing SMART on FHIR flows (EHR launch and standalone launch with PKCE) and the backend services flow (client_credentials with signed JWT assertion). Both use the same Maverics JWKS registered with Epic.
How does the Entra ID to Keycloak failover actually work?
The Maverics Orchestrator runs Identity Service Health Monitoring on each connector, polling the provider’s well-known discovery endpoint on a configured interval (typically 30 to 60 seconds in production). When Entra fails unhealthyThreshold consecutive checks (default 3), the Continuity Strategy marks it unhealthy and routes the next authorize request to the following healthy connector in failover.idps, which in this design is Keycloak. When Entra passes healthyThreshold consecutive checks, traffic routes back to it. Detection time is interval times threshold, so tune both to your RTO.
Does Epic need to be reconfigured for identity provider changes?
No. Epic is registered once with Maverics: one client ID, one JWKS URL, one SMART configuration URL. Adding, rotating, or replacing the identity provider is a Maverics-side operation. Epic configuration is immutable from day one.
Can Strata Maverics run in DDIL or air-gapped environments?
Yes. Maverics is deployable on-prem, at the edge, and air-gapped. In DDIL scenarios (Denied, Disrupted, Intermittent, or Limited connectivity), Maverics authenticates users against a locally reachable identity provider and reconciles state when connectivity returns. This is a core use case for federal health, tactical medicine, and rural care.
What identity providers does Maverics support?
Maverics is identity provider agnostic. This post uses Microsoft Entra ID and Keycloak as primary and secondary, but the same orchestration pattern applies to Okta, Ping, ForgeRock, ADFS, and legacy directories such as LDAP.
The post Identity Continuity for Epic EHR appeared first on Strata.io.
*** This is a Security Bloggers Network syndicated blog from Strata.io authored by Parambir E4C5. Read the original post at: https://www.strata.io/uncategorized/identity-continuity-for-epic-ehr/
About Author
.png "Why Financial Services Leaders Are Re-Evaluating Open Source for Database Change Management")
