NHS CIS Authentication (Spine Security Broker) API
Verify the identity of healthcare workers in England, such as NHS staff, using the Spine Security Broker (SSB) component of the NHS Care Identity Service (CIS). CIS provides single sign-on across local and national digital services using physical and virtual smartcards.
This API is in production but deprecated. For details, see API status.
Overview
Use this API to verify the identity of healthcare workers in England, such as NHS staff. It provides a single sign-on capability across local and national digital services using physical and virtual smartcards.
This API is also known as the Spine Security Broker (SSB), and is part of the NHS Care Identity Service (CIS).
You can:
- access the Identity Server which serves up SSO Tokens and manages the sessions for users who have been successfully authenticated
- access the Identity Agent on the end user's workstation, which mediates the authentication transaction and serves subsequent user information on demand as part of the application's authorisation process
- access the Client Signing Interface, which provides client-side digital signing functions for the purposes of Content Commitment. This interface primarily uses cryptographic functions that execute on a user’s smart card.
Users can only be authenticated if they are formally registered on the Spine. This includes creating a user profile, stored in the Spine Directory Service (SDS), containing the user’s roles and other information that the Registration Authority or Service deems necessary to make appropriate data access decisions.
This authentication service makes use of smartcards to provide strong authentication for health care workers to control access to national services. It is being replaced by NHS CIS2 Authentication which provides additional authentication methods for scenarios where a smartcard might not be preferred or appropriate.
This API is described fully in the Spine External Interface Specification (EIS). Part 6 has the overview and part 7 the formal API specifications. These are a set of Word documents that provide system developers - architects, designers and builders - with the necessary information to connect to Spine national services.
Who can use this API
This API can only be used where there is a legal basis to do so. Make sure you have a valid use case before you go too far with your development.
You must have made this request before you can go live (see 'Onboarding' below).
API status
This API is in production but deprecated and is due to be retired on 30 September 2023.
If you are developing a new integration, we strongly recommend using the NHS CIS2 Care Identity Authentication API instead.
If you have any concerns, contact us.
Service level
This API is a platinum service, meaning:
- it is operational and supported 24 hours a day, 365 days a year
- it has an availability of 99.9% in supported hours
For more details, see service levels.
Technology
This API is a SOAP API.
For more details, see Basic SOAP.
Network access
You need an HSCN connection to use this API. This is because the client-side Identity Agent component requires HSCN to talk to its server-side counterparts.
For a similar API that is available on the internet, consider NHS CIS2 Care Identity Authentication API.
For more details, see Network access for APIs.
Environments and testing
You can test this API using our Path to Live environments.
Onboarding
You must get your software onboarded before it can go live.
Contact us before onboarding with this API. It uses the Common Assurance Process (CAP) which is tailored for each NHS service.
Interactions
For a full list of interactions for this API, see the Spine External Interface Specification (EIS), specifically:
Last edited: 14 September 2023 5:17 pm