Skip to main content

Delegated Authentication Basics

Delegated authentication allows you to define your own custom authentication mechanisms. The custom mechanisms can also perform basic user setup, for example, assigning roles and other properties.

Here is the sequence of events for a login attempt through an InterSystems Service that uses delegated authentication:

  1. A user attempts to access InterSystems IRIS through an InterSystems Service that has been configured to use delegated authentication.

  2. The system automatically invokes the ZAUTHENTICATE routine in the %SYS namespace. This routine contains your custom authentication code. It may also call other code containing additional custom authentication logic.

  3. If ZAUTHENTICATE succeeds, InterSystems IRIS grants the user access to the system and either creates or updates the user account information depending on whether or not this is the user's first login attempt.

  4. If ZAUTHENTICATE fails, InterSystems IRIS denies the user access to the system and sends the user an “Access Denied” error.


For more information on delegated authentication, see delegated authentication.


If you are using HealthShare Unified Care Record, you cannot create a custom version of ZAUTHENTICATE to implement delegated authentication because Unified Care Record comes with its own version of the routine. Instead, you must customize methods in the class HS.Local.ZAUTHENTICATE. For more information, see “Customizing Authentication via Local ZAUTHENTICATEOpens in a new tab” in the book Authenticating HealthShare Users.

FeedbackOpens in a new tab