Search Knowledge Base
Customer integration: frontend
This page contains concrete information and steps to guide IT specialists when setting up
and integrating
Moveshelf in their hospital's infrastructure.
Please be aware that this section is hidden from the general sections of the knowledge base, about
the use of the Moveshelf application.
You can only reach this section by direct URL.
Please be aware that this section is hidden from the general sections of the knowledge base, about
the use of the Moveshelf application.
You can only reach this section by direct URL.
Moveshelf architecture
The figure below shows the interaction of Moveshelf with external services. This chapter focusses on frontend integration using deep linking, hence only the top part of the image below will be used.
On Moveshelf, we made available two separate environments, a staging (for development/testing) and a production environment. Each customer will have a specific subdomain to access their proprietary data, both on staging (https://< customer-domain >.staging.moveshelf.com), as well as the production environment https://< customer-domain >.moveshelf.com). A customer domain is configured by Moveshelf, please refer to Moveshelf support for assistance.
Deep linking
Deep linking is available to generate links that will bring a user to an inner section of the site after login. By default all of Moveshelf is password protected and accessible through Single Sign-On (SSO) linked to your organization’s Active Directory or manual login by password and (optional) email address. By default deeplinking does not require any particular action or configuration, sending a specific link to a page is enough to prompt the recipient with a manual login or automatically put then through SSO.
What is needed to for this to work:
When navigating away from a subject specific page accessed through a deeplink, you will be notified about this through a warning (see subject home page)
A Moveshelf link can be opened in any other modern browser such as Chrome, Edge or Firefox. Internet Explorer is not supported.
Subject deeplinking
To access subject specific data directly from other applications (e.g. HiX), subject deeplinking can be used based on the following link structure:- Staging: https://< customer-domain >.staging.moveshelf.com/project/< project_id >/subject/< EHR_id >?ehrId
- Production: https://< customer-domain >.moveshelf.com/project/< project_id >/subject/< EHR_id >?ehrId
- < project_id >: unique projectA project is a space where subjects and their data are stored, and where you can collaborate with the members of that project.id for staging and production, please contact Moveshelf support to obtain the specific ids.
- < EHR_id >: EHR record for a specific subject (can be replaced at client side, e.g. using pattern matching).
See add subject info on how to setup the EHR_id. - Access to Moveshelf: login using SSO (for Entra ID (Azure ED) setup, see the section Entra ID) or manual login (read more about the user perspective for password and SSO login).
When navigating away from a subject specific page accessed through a deeplink, you will be notified about this through a warning (see subject home page)
A Moveshelf link can be opened in any other modern browser such as Chrome, Edge or Firefox. Internet Explorer is not supported.Behavior
The query string param *auto=false* can be used to control the behavior when landing through a deeplink. By adding *auto=false* to the end of a deeplink the user can choose to sign in with password and (optional) email address. This is useful for example if the user desires to share a deeplink with someone outside the organization. With SSO enabled and if no *auto=false* is provided, the user is immediately asked to SSO when landing on a Moveshelf page.
Entra ID (Azure AD) configuration
This guide shows what steps are needed to create a Microsoft Entra ID application that can be used with Moveshelf SSO. for now, this guide and Moveshelf's application still refer to this application by it's former name: Azure Active Directory (ADD). Please contact Moveshelf support if an alternative solution to Entra ID/AAD is used.
- Create the application Start by creating a new AAD app:
- Fill in application details Fill in your application details. You should select which option you need for supported account types based on your own case. To connect your organization with our environments, the redirect URI should be:
- Staging: https://api.staging.moveshelf.com/_private_api/sso/code
- Production: https://api.moveshelf.com/_private_api/sso/code
- Add claims to ID token Add the following claims to the application ID token in order to let Moveshelf receive the necessary information to create and manage the users.
- Create a client secret token Create a client secret token and write down the Value, you will not be able to retrieve it again. Expiration is handled manually for now, we suggest to set it to 2 years. Write down the Expires date too.
- Get application information Write down your Application Client ID and Directory Tenant ID.
- Configure access to your new application By default, all users in your Azure organization will be able to access the application and perform SSO. Our advise is to limit SSO access through this app only to the users/groups assigned to it. Therefore you first need to configure access to a user or a group of users (see image 1). Note: we suggest giving key Moveshelf users Ownership of the Azure AD group, so that they can independently control access to Moveshelf. To make sure only the configured group has access to Moveshelf, you also have to enable User assigment required option (disabled by default), this is shown in image 2.
- Send the application information to Moveshelf In order to set up your application, you will need to send the Application Client ID, the Directory Tenant ID, the secret token Value and its Expires date to Moveshelf support.
Reauthentication measures
Some organizations have made it part of their information security controls that users of applications should reauthenticate frequently, for example after a user has been active for more than 15 minutes. Technical enforcement of such reauthentication measures can be partially controlled by Moveshelf, and when SSO is enabled, also partially controlled by the IT department of your organization.
Reauthentication measures controlled by Moveshelf
By default, Moveshelf requests the user to reauthenticate when the 'Sign out' button in Moveshelf is used.
It's also possible to turn on a configuration option for your organization which, in addition, triggers reauthentication in the following cases:
To turn on the configuration option mentioned above, please contact Moveshelf support.
Reauthentication measures controlled by the customer's Entra ID (Azure AD)
When SSO using Entra ID is set up and enabled, the IT department of your organization controls the reauthentication behavior of Entra ID. For example, your organization could decide to require extra security factors when a user attempts to login from outside its local network. In Entra ID terms, this is known as a Conditional Access Policy.
Reauthentication measures controlled by Moveshelf
By default, Moveshelf requests the user to reauthenticate when the 'Sign out' button in Moveshelf is used.
It's also possible to turn on a configuration option for your organization which, in addition, triggers reauthentication in the following cases:
- After 15 minutes of inactivity on Moveshelf (no key presses or mouse movement)
- After the browser tab is closed
To turn on the configuration option mentioned above, please contact Moveshelf support.
Reauthentication measures controlled by the customer's Entra ID (Azure AD)
When SSO using Entra ID is set up and enabled, the IT department of your organization controls the reauthentication behavior of Entra ID. For example, your organization could decide to require extra security factors when a user attempts to login from outside its local network. In Entra ID terms, this is known as a Conditional Access Policy.
HL7 integration
Moveshelf can integrate with HL7 "orders", which are requests for services, commonly used for radiology or lab orders and results. This integration will automate such processes in the daily routine of healthcare professionals related to their movement lab(s). Below you will find the integration of Moveshelf with HL7.
2. An operator can then perform measurements in a motion lab. Once the measurements are finished, the operator can upload the results into the created session in Moveshelf.
3. Afterwards, the operator reviews the results in Moveshelf until publishes the Moveshelf session to the Electronic Health Record (EHR), using an order result (an ORU, in HL7 lingo). The order result contains a (deep) link that would be placed back in the EHR.
4. This link can be openend from the patient file in the EHR by clinicians to view the data on Moveshelf.
Flow
1. Moveshelf can receive an order request (an ORM, in HL7 lingo) and based on this request, automatically create a subject and a session in a project.2. An operator can then perform measurements in a motion lab. Once the measurements are finished, the operator can upload the results into the created session in Moveshelf.
3. Afterwards, the operator reviews the results in Moveshelf until publishes the Moveshelf session to the Electronic Health Record (EHR), using an order result (an ORU, in HL7 lingo). The order result contains a (deep) link that would be placed back in the EHR.
4. This link can be openend from the patient file in the EHR by clinicians to view the data on Moveshelf.