Onboard to NHS CIS2 Authentication
The NHS CIS2 Authentication onboarding process is a series of simple steps to guide your organisation through everything you'll need to achieve conformance, and help you plan the amount of effort and time required.
- provide health and care professionals with better authentication options
- make clinical information systems available, when and where they are needed
- be a step towards easier access to systems that do not need several different logins
Onboarding summary
You need to get your software approved by us before it can go live with NHS CIS2 Authentication. We call this onboarding.
This page contains all the information you'll need to successfully complete the onboarding process, and help you plan the amount of effort and time required. Please review all steps - you do not need to complete them all in order, and doing so may delay your work.
Understanding the authentication capabilities with NHS CIS2 Authentication will help you decide if it's the right solution for your users. You should read and understand the different ways you can authenticate using NHS CIS2 Authentication.
Our guidance for developers includes information on how to integrate with NHS CIS2 Authentication, along with further help and support. We recommend you read this guidance prior to applying to use the service.
1. Apply to use NHS CIS2 Authentication
When you're ready to onboard to NHS CIS2 Authentication, please complete the NHS CIS2 Service Assessment Questionnaire (SAQ).
Completing the questionnaire will help the NHS CIS2 Onboarding team to understand your use case and assess whether NHS CIS2 Authentication is the correct service for users accessing your application.
What happens next
We'll review your application within 5 working days and contact you regarding the appropriate next steps. We may need to speak to you if we need more information or to clarify your requirements.
We'll add you to our email distribution list, where you'll receive information on changes to the service, feature updates and upcoming releases. Please do not complete any further steps until you've received a response to your questionnaire.
Your onboarding journey continues through the steps below.
2. Register for digital onboarding
To continue your onboarding journey, you need to register for digital onboarding. We'll ask you for the information we need to assess and approve your use of NHS CIS2 Authentication.
If you've already registered we'll let you know, and whether the product you are onboarding to NHS CIS2 Authentication has been added.
Follow the instructions on the digital onboarding guidance page to:
- register your personal developer account
- set up your organisation and team
- add your product
We are currently inviting partners to use digital onboarding by invitation only. If you had to register your organisation and product, please advise when this has been completed so we can add NHS CIS2 Authentication to your product.
We'll contact you once NHS CIS2 Authentication has been added to your product.
3. Confirm your use case
You must confirm you have a valid use case.
You’ll need to give us details of your product and what it does. You’ll also need to explain why NHS CIS2 Authentication is the right authentication tool for your service.
Complete the 'Setup and eligibility' stage of your digital onboarding
- Sign in to digital onboarding (If you haven't created an account yet, follow the instructions on the digital onboarding guidance page to get set up).
- Go to product onboarding.
- Select your product - this will open the conformance questions for your product.
- Complete the 3 sections within the 'Setup and eligibility' stage.
- Submit the 3 sections for review.
Completing the use case section
Before you submit the use case section you should:
- read and understand the developer guidance
- understand any key dependencies you may have
- have an idea of the number of authentications your users will make
- have an idea of any key dates you need to meet, for example your go live date
Next steps
We'll review your answers within 5 working days and may contact you if we need more information.
4. Plan your journey
It's likely that you already have a plan or target date in mind for completing your conformance with NHS CIS2 Authentication. The steps described in this onboarding guide will help plan your integration.
We want you to achieve your targets, and as each project is different this guidance may not cover all the issues you'll encounter. With that in mind we recommend you share your plan with us as we may be able to offer advice to avoid issues we've seen before.
Your high level plan should include your anticipated dates for:
- starting the conformance process
- submitting your responses to the conformance questions in the digital onboarding service
- testing
- achieving conformance
- your first site to go live
Your plan should include rollout details through to your last site and information that demonstrates how you intend to do so in a controlled manner.
You are expected to give us an idea of the patterns and volumes of user authentications required throughout the rollout process.
Areas to consider
- Keep things simple to start with - a basic end-to-end authentication can be implemented in a few days.
- Accessing the userinfo endpoint is required to obtain RBAC data. You will need this if you control permissions within your application or you are integrating with any of the national APIs.
- Other aspects required for the overall solution, such as session management, security considerations and conformance requirements can now be focused on.
- If you are integrating with other national APIs (PDS, EPS, e-RS, etc), these are only available in the INT environment so factor that into your planning to enable end-to-end testing.
- Don't underestimate how long the conformance process may take. We are working with a lot of implementation teams and may have to adjust our response times during busier periods, so please take this into account.
- Think about which authenticators may be best for your development team, but also what authenticators your end users will be using. The majority of existing users will be using smartcards over HSCN, so consider testing with these if you have access to HSCN, but it's not mandatory.
- If you are deploying to new user groups, review the authenticators we support as you may find they are a better fit for your use case. Don't assume that smartcards are the only option.
- Consider how you will deploy your solution to your customers. You may have one instance used by all customers or one instance per customer.
- Think about how long it will take for you to deploy the solution to all your customers.
CIS1 to CIS2 Authentication Migration
If you are migrating from CIS1 to CIS2 Authentication, as part of your solution you need to ensure that you are removing all CIS1 dependencies.
Systems that use CIS1 Authentication may have been around for many years and the touch points for CIS1 Authentication may not be known by the current technical team. We recommend regression testing your current application using one of the other authenticator options via CIS2 Authentication rather than just using Smartcards over HSCN as this will help identify any remaining CIS1 dependencies.
Where a CIS1 token is used to access NHS England APIs, you will need to consider how this changes when using CIS2 Authentication - see migrating APIs from CIS1 to CIS2.
During the technical conformance test we will require you to use one of the alternative authenticators to conduct this test to ensure CIS1 dependencies have been removed.
Next steps
When you share your plan with us we'll be able to:
- make you aware of any dependencies you might not be aware of
- prepare to support you through your journey
- understand your critical path and if we factor into it - typically we're rarely a critical path item
5. Complete the non-functional requirements
As part of your solution design, it's important to answer some key questions around:
- handling data securely
- managing clinical risk
- using our production environment
- how you can register your product for the NHS Digital National Service Desk
We can provide input into your solution to ensure you meet our non-functional requirements and avoid common mistakes.
Complete the 'Non-functional requirements' stage in digital onboarding
- Sign in to digital onboarding (if you haven't created an account yet, follow the instructions on the digital onboarding guidance page to get set up).
- Go to product onboarding.
- Select your product - this will open the conformance questions for your product.
- Complete the 4 sections within the 'Non-functional requirements ' stage.
- Submit the 4 sections for review.
There are 4 sections to complete in this stage:
- Declare data security and information security.
- Implement a clinical risk management process.
- Register for service and incident management.
- Declare your medical device status.
Next steps
We will review your answers within 5 working days and may request additional information through the digital onboarding feedback mechanism.
6. Confirm your technical design
As part of your technical design, there are a number of areas that we recommend you review in detail as key items for conformance with NHS CIS2 Authentication. Our experience is that these are the typical areas where we see the most feedback and delays in systems achieving conformance. Time spent now looking at these areas will undoubtably save time later in the process.
Care Identity button
To introduce a familiar feel for users and to help them understand that they can use their Care Identity to login, we introduced the Care Identity button. You should add this to your application to initiate the login by CIS2 Authentication.
If you need any advice once you've reviewed the technical documentation and decided on your technical design, please contact us at [email protected]
Client authentication mechanisms
We support a number of client authentication mechanisms, but highly recommend that systems use Private Key JWT. This puts the system owner in control of the key pairs used to secure the client token request and enables them to support seamless transition to a new keypair through key rollover.
Session management
This section of the conformance process is where we see the most feedback. We have simplified the process to target the information we need.
The keys areas we review are:
- inactivity timeout - our recommendation is a timeout of 15 minutes (if you require a timeout greater then you must provide a detailed reason)
- the use of the prompt and max_age parameters - crucial components to support your session management approach
See more details on session management.
Back-channel logout
While back-channel logout is not mandatory in all cases, it's recommended especially where you expect a significant percentage of users will be accessing your system using smartcards over HSCN. Existing smartcard users are used to removing their smartcard to terminate their session, and back-channel logout replicates this functionality while also providing an increased level of session management for your application.
Use of email scope
The use of the email scope should be used with caution and should not be used to match identities. This is because email address is not a mandatory field in a user’s Care Identity profile and is not validated. Therefore, a user may not have an email address recorded, it may not be their current email address, or it may be a shared email address.
A user’s identity can be matched with any of the following claims as they all contain the same value.
- profile | uid
- nhsperson | nhsid_useruid
- nationalrbacaccess | nhsid_userid
7. Get access to the integration environment
The integration environment (INT) is where you'll develop, test and demonstrate your solution meets our technical conformance requirements.
At this stage we expect the config for the INT environment will mirror what you plan to use in production and the responses when completing the technical conformance requirements in step 8. It will also be reviewed during the conformance test in step 9. Any discrepancies will delay achieving conformance.
In order to access the integration environment, you need to provide configuration information such as:
- Redirect URI - it's important that you provide a valid redirect URI. Some example redirect URIs are:
- If you wish to have userinfo responses signed, please also include the algorithm to be used. The algorithms that are supported are defined in each of the OpenID Provider Configuration Documents at one of the well-known endpoints listed below, but typical values we see used are RS256 or RS512.
- Back-channel logout endpoint - to register for back-channel logout notifications, the client must provide a single public internet facing endpoint where NHS CIS2 Authentication can POST a logout token. This configuration is part of the OIDC client registration. The endpoint must be secured with HTTPS, accessible by a public DNS domain and present a server certificate matching its FQDN. The certificate presented must include a full certificate chain to a trusted public root CA e.g. DigiCert. For more details see back channel logout.
- Security pattern used - the OIDC standard has a number of ways to prove your application is the legitimate connecting party. Select which one you want to use - the most secure option is Private Key JWT, but we recognise that not all software supports this. If you cannot use this, make sure it's on your backlog or roadmap for future phases. For more details on these options see client authentication credentials - options available are:
- Client Secret
- Private Key JWT
This configuration is controlled by our configuration tool called Connection Manager which allows you to submit and manage your CIS2 Authentication configuration. Please note that Connection Manager is only available in the Path To Live (PTL) environments.
To access Connection Manager, please submit your Team ID as detailed in the document 'Providing your Team ID' that was included in the 'Welcome to CIS2' email you would have received as part of step 1.
Obtain UserIDs (UUIDs)
As with all the PTL environments, user IDs are needed in the integration environment. These are known as UUIDs in CIS2 Authentication.
UUIDs are specific to each environment, so an INT UUID will not work in PROD and vice versa. Typically INT ones start with 5552 or 5553.
If you have previously integrated with CIS1, you may already have smartcards for an environment (and therefore UUIDs). These will continue to work with CIS2 Authentication.
If you require new UUIDs, make a smartcard request for a Path to Live environment. This process is still used if you just require a UUID, for example if you are going to be only using security keys. There is an option to advise that you do not require a smartcard to be sent to you. This process is managed by our ITOC team.
You will need to ask for resources/users to be set up.
Any subsequent changes to identity set up can be made by contacting the ITOC team directly at [email protected]
If you don't already have particular permission/role requirements for your application, then use these value when requesting that a user be set up:
- Org Code: A9A5A
- Org Name: NHSID DEV
- Role Code: R8015
Authenticators in PTL
All our PTL environments support the same authenticators available in the production environment. The choice of authenticator doesn't change how you integrate your application with NHS CIS2 Authentication, but may simplify how your development teams work.
Options to consider when assessing which authenticator to use:
- While some end users are still using smartcards over HSCN, there is no requirement to test with smartcards over HSCN as the authenticator flow is the same for all authenticators, therefore you can use any of the supported authenticators for testing. The only exception to this when testing for AAL3, you can't use an AAL2 authenticator.
- For remote teams where an HSCN connection may not be available, we support authenticators that work over the internet without the need for a HSCN connection: smartcards that authenticate over the internet, security keys and Windows Hello. For offshore teams, security keys are a good choice as they are easy to purchase and can be registered remotely. They also have the advantage of not requiring any additional software to be installed.
- Each person in your team can use a different authenticator, plus a user's identity (UUID) can be bound to multiple authenticators, which help support a variety of working patterns your team may require.
While smartcards are provided centrally by NHS England, the other authenticators are not and must be purchased separately. NHS England also do not supply smartcard readers for system integrators and these must also be purchased separately. There are many different manufacturers of smartcard readers, whose drivers need to interact with a vast combination of different platforms, software, hardware and setups. Find out more about the smartcard readers we support.
If you have any questions about which authenticators your teams should use, please contact us to discuss.
Development machine set up
There is minimal set up required to development machines that are specific to NHS CIS2 Authentication. No additional software is required to use security keys or Windows Hello. NHS Identity Agent, NHS Credential Management and relevant drivers are required to use smartcards over HSCN, along with having an HSCN connection. The set up is the same as for setting up a smartcard user workstation - an HSCN connection is needed to download the necessary software.
Next steps
The process to set up access to the integration environment takes 1 to 2 days depending on your requirements.
8. Complete technical conformance in digital onboarding
The technical conformance section is the most important for NHS CIS2 Authentication. It is where you explain how your solution meets our technical requirements. To minimise delays in achieving conformance your answers will need to be comprehensive and address all points raised in each question. Each question should be self-explanatory and will include supporting information where necessary.
You should already be familiar with our technical requirements as you should have referred to them while completing your technical design.
Please do not submit these sections until you have a working solution in the INT environment as we will not review them. The solution should mirror how your production solution would work, e.g. use of UserInfo endpoint, Back-channel Logout, Session Management etc.
Complete the 'Technical conformance requirements' stage of your conformance questions
- Sign in to digital onboarding (if you haven't created an account yet, follow the instructions on the digital onboarding guidance page to get set up).
- Go to product onboarding.
- Select your product - this will open the conformance questions for your product.
- Complete the 2 sections within the 'Technical conformance requirements' stage:
- demonstrate your product meets the core conformance criteria
- demonstrate technical conformance for NHS CIS2 Authentication
- Submit the 2 sections for review.
Completing the 'Demonstrate your product meets the core conformance criteria' section
We will ask you some questions about your data processing activities, including:
- what personal data is being processed
- the purpose and legal basis for processing it
There is useful information contained in the ICO advice and checklists about controllers and processor roles that will help when answering these questions. You can learn more about what counts as personal data.
Regardless of whether your product is new or existing, you must complete a penetration test to CHECK standards.
The safety case and hazard log should include evidence that new hazards or increased risk have been identified and managed effectively through detailed risk analysis, risk evaluation and risk control.
You can learn more about clinical risk management standards information.
Completing the 'Demonstrate technical conformance for NHS CIS2 Authentication' section
Each question should be self-explanatory and will include supporting information where necessary. You should already be familiar with our technical requirements as you should have referred to them while completing your technical design.
If you have any questions about this section please contact us at [email protected]
Next steps
We’ll review your responses and may ask you for additional information through the digital onboarding feedback mechanism.
9. Demonstrate technical conformance
Once you have completed your technical implementation, you will need to perform an end-to-end technical conformance test to demonstrate adherence to the required standards. When you are ready to complete the test, please contact us at [email protected] giving us as least 2 weeks' notice.
We'll then do some background checks to validate you meet our requirements. These include:
- checking that you have a configuration in our INT environment
- checking that you have authentication functioning in INT
- checking that you are successfully receiving logout tokens from us if you are using back-channel logout
- your solution is deployed to a test environment and not running on a local developer machine (i.e. localhost)
Demonstrating the end to end authentication of your product
This formal technical conformance test takes place in the integration environment and takes around 2 hours to complete.
If you are migrating from CIS1 to CIS2 Authentication, you will be required to perform the technical conformance test using one of the alternative authenticators other than smartcards over HSCN. The reason for this is to validate that you have removed all CIS1 dependencies from the authentication process.
To run the test, you will need to advise us of the:
- IP address of the user device used to perform the test
- IP address of the server component used to perform the test
- UUID of the user identity used to perform the test
- authenticator you'll be using to perform the test
You will be asked to demonstrate the following:
- authentication
- back-channel logout
- session management
- Care Identity button
Next steps
Once you've completed your test, we'll issue a solution assurance certificate to you within 5 working days.
10. Sign the Connection Agreement
Prior to be able to use NHS CIS2 Authentication in a production environment, you must sign a Connection Agreement. This will be issued following completion of the non-functional requirements as detailed in section 5. The Connection Agreement is a legal document that sets out your obligations.
You can download a sample Connection Agreement to review on the Digital Onboarding Service page.
If you have previously signed a Connection Agreement, we will re-issue the existing document. In some cases you might need to re-sign it.
You demonstrate and declare your conformance to use NHS England APIs through the digital onboarding service. The Connection Agreement is the contract you sign to legally commit to the details you have provided.
This is a legally binding agreement with NHS England and confirms that the responses and declarations made throughout this onboarding process are accurate and complete.
The signatory must be an officer of the organisation with appropriate authority to make this assertion and accept the terms of the agreement.
You must sign and upload your Connection Agreement before the onboarding process can be completed and you get production access.
11. Complete and submit your live config
Once you've signed your Connection Agreement, you can define and submit your configuration for live.
The configuration for your live environment should replicate your INT configuration and needs to include the following:
- Production Redirection URIs
- Production Backchannel Logout URI
- Security pattern used (Client Secret or Private Key JWT)
- JWKS endpoint URI (only required for Private Key JWT)
- Token Endpoint Signing Algorithm (only required for Private Key JWT)
- If userinfo responses should be signed, including signing algorithm to be used
Double check all the URIs are formatted correctly.
Once you've submitted your config to us, please allow a minimum of 2 weeks for us to deploy your configuration and resolve any issues.
12. Go live with your software
You've completed your conformance, demonstrated adherence to the required standards, signed the Connection Agreement and submitted your live config. Your service can now go live.
Health and care professionals can now access your clinical information system conveniently, securely and reliably.
Next steps
We will ensure your handover to live services for ongoing support is as smooth as possible. There are some things to consider to make sure you stay compliant while in live.
13. Once you're live
As you continually improve and change your system you will need to stay compliant. This typically means submitting updated responses to the conformance questions in the digital onboarding service.
You'll be asked to re-submit updated responses, even when live, if:
- you change how your service works
- we change how compliance is met
As we make updates and improvements to NHS CIS2 Authentication, we'll contact you with information about upcoming releases and how you might be affected.
NHS CIS2 Authentication change and release process
We are continually assessing our service and looking to improve it in line with security standards, updated compliance and identified user needs. As such, we typically release an update once a month that contains new features and improvements.
We publish all past and future release information and will email you with information about upcoming releases with plenty of notice.
We aim to make releases non-breaking and they normally are. Breaking changes are rare and will be clearly identifiable. We'll work with you to help you understand what changes are breaking and what needs to be done to ensure your application continues to work.
Support
You can get support by going to the NHS Digital Customer Portal or emailing [email protected]
Last edited: 2 December 2024 1:18 pm