NHS Identity Agent configuration and registry settings
How to set up NHS Identity Agent and set the correct registry settings to optimise the software on a user's workstation.
On a new Identity Agent installation, there will be no registry entries created by default. The user will need to manually create the sub trees in the registry before first use.
With a default installation, NHS Digital Identity Agent v2.4.5.0:
- will authenticate into live
- will be in ‘Normal’ mode
- will not launch any web browser applications on login
- will close down all browser sessions on logging out
- will not create any entries in the registry
Download Identity Agent v2.4.5.0 (needs HSCN connection).
The agent is supplied with built-in defaults for all settings, meaning that by default there will be no settings present in the registry (including the directory path). The built-in defaults can be largely overridden through the application of specific registry values either directly or via Group Policy settings using an Administrative Template.
To help with this, download our simple-to-use IA Registry Editor Tool, which can be used to quickly update registry settings, including switching between different Path to Live environments.
You need admin rights on the workstation to change registry settings.
Registry settings should only be changed by a trained member of your IT or RA team. Making a mistake in a registry update can have consequences that mean a workstation will not operate properly and may have to be rebuilt.
Background
The Identity Agent will attempt to read settings from three separate areas of the registry. The locations have different purposes, and this is reflected in the order in which they are prioritised. The priority order is controlled by Windows and not the Identity Agent.
- Set by Group Policy – these settings will be applied by group policy. System administrators can create their own temple(s) from the registry setting information provided in this document for policy rollout if required. You should not attempt to create or modify settings manually or via a script in this part of the registry. These settings will always take precedence.
- All Users (Local Machine) – these settings are machine-wide and will apply to any user who logs in to the system. The settings will remain machine specific, meaning that a user will always adopt these in preference to user settings.
- Current User – these settings apply only to the current logged in user and will persist with the user profile. If the user has a roaming profile, then the settings will travel with the user between machines.
The Identity Agent process will run as a 32-bit process regardless of whether the OS is 32-bit or 64-bit. As such it is important to note that the registry path for the Identity Agent will alter depending upon which OS variant is in use.
- 32-bit Operating System:
- Set by Group Policy: HKLM\SOFTWARE\Policies\HSCIC\Identity Agent
- All Users: HKLM\SOFTWARE\HSCIC\Identity Agent
- Current User: HKCU\SOFTWARE\HSCIC\Identity Agent
- 64-bit Operating System:
- Set by Group Policy: HKLM\SOFTWARE\Policies\HSCIC\Identity Agent
- All Users: HKLM\SOFTWARE\Wow6432Node\HSCIC\Identity Agent
- Current User: HKCU\SOFTWARE\HSCIC\Identity Agent
Please review the settings below to ensure that they are appropriate for your configuration, and that the secure operation of any other application that exposes patient identifiable or sensitive data under a Spine authentication context is considered.
- Subsequent to making registry changes, stop / restart NHS Digital Identity Agent v2.x to allow them to take effect as not all registry changes are dynamic.
- Without any explicit registry settings, NHS Digital Identity Agent v2.x will operate under ‘Normal Mode’ and will authenticate against the live Spine environment and close all Web browsers on logging out of Spine.
- To enable Mobility mode, set ‘MobilityPersistence_Available’ to ‘true’. The mode is then toggled ‘on’ and ‘off’ from the passcode form (‘Work with Smartcard removed’) on a per login basis, the previous setting is not retained, and the default is always set to off.
If Mobility mode is set to true, but the “Work with Smartcard removed” toggle is not set to on, the precedence order will drop back to the next mode set to true in the registry. If no other modes are set to true, this will then default to Normal mode. If the user needs to preserve the session in addition to the ability of working with the Smartcard remove, ensure that both Session Lock and Mobility modes are enabled in the registry. - To enable Session Lock mode, set ‘SessionLockPersistence_Enabled’ to ‘true’.
- To enable Enhanced Normal mode, set ‘EnhancedNormalMode’ to ‘true’. This will make Identity Agent v2.x behave in the same manner as Identity Agent v2.1.2.16 did running in Normal Mode.
- If any of the above settings are changed in the registry, they operate in the order of precedence in the order they are described above.
- On logging out of Spine, NHS Digital Identity Agent v2.x is configured by default to close all the following browsers running under the current user context: IE.x, Chrome, Firefox. To alter this behaviour, consider using the ‘ProcessesToKill’ registry key detailed below.
- The ‘RoleSelectionGETPOSTURL’ and ‘LogoffPOSTURL’ entries are no longer required as NHS Digital Identity Agent v2.x now derives these programmatically.
Mobility mode
A key feature of ‘Mobility mode’ is that the user is periodically asked to re-authenticate, either by one-factor (presenting the Smartcard), or by two-factor (presenting the Smartcard and passcode)
The timings of these events can be specified by the use of ‘Config Themes’ - pre-set collections of mobility timer settings. The possible registry values for this setting are ‘off’ (default), ‘Minimal’, ‘Medium’, and ‘Maximum’. The individual values for these timers are described below:
Timer |
Default |
Minimal |
Medium |
Maximum |
Time allowed idle before one-factor reverification is forced |
300s |
60s |
180s |
300s |
Regardless of activity, time allowed before one-factor reverification is forced |
1800s (30m) |
900s (15m) |
1800s |
3600 |
Regardless of activity, time allowed before two-factor reverification is forced |
7200s (2h) |
3600s |
7200s |
14400s |
Advance System Tray notification before idle timer prompt |
60s |
20s |
60s |
120s |
Advance System Tray notification before one-factor reverification prompt |
180s |
120s |
180s |
180s |
Advance System Tray notification before two-factor reverification prompt |
420s |
300s |
600s |
600s |
Time before two-factor reverification timer expires, where if the one-factor reverification about to be shown (either due to a forced reverification or due to the user presenting their Smartcard voluntarily) – that a two-factor reverification is forced instead. (Prevents a two-factor reverification being required shortly after a one factor reverification has been completed.) |
900s (15m) |
600s |
900s |
1200s |
Countdown timer on the one-factor reverification form. |
240s |
120s |
240s |
240s |
Countdown timer on the two-factor reverification form. |
240s |
240s |
240s |
240s |
Path-to-Live environments
The Identity Agent can be configured to operate against alternate environments through the use of registry settings.
This table lists the Path-to-Live environments and their respective settings:
Registry setting |
Value |
Environment: NIS1 (INT) |
|
ActivatePOSTURL |
|
Environment: VNIS1 (DEP) |
|
ActivatePOSTURL |
|
Environment: TSP (TRAINING) |
|
ActivatePOSTURL |
|
Environment: Live |
|
ActivatePOSTURL |
Note The value for Live is listed for reference only, it is not necessary to present an ActivatePOSTURL value in the registry to authenticate against the live environment.
In the event that the certificates for Path-to-Live are updated, the latest certificates for the environments can be downloaded from the URL below. Follow the link for ‘Root and SubCA Certificates’.
https://digital.nhs.uk/services/path-to-live-environments
These certificates need to go into the correct certificate stores for all users on the machines and require administrative rights to install them. Please contact your local ICT department to arrange this.
To help with this, download our simple-to-use IA Registry Editor Tool, which can be used to quickly update registry settings, including switching between different Path to Live environments.
Silent configuration
The agent supports a silent installation using standard deployment toolsets that recognise .msi packages, or if installing via a script the following command line can be used:
%SystemRoot%\System32\msiexec.exe /i "NHS-Digital-Identity-Agent-2.x.msi" /qn
Although the default configuration will satisfy the requirements for most installation scenarios, each feature can be included as part of a silent install by specifying the additional parameter as:
%SystemRoot%\System32\msiexec.exe /i "NHS-Digital-Identity-Agent-2.x.msi" ADDLOCAL=featurenames /qn
Automatic start on login
Where featurenames is a comma separated list using the ‘Component ID’ values from the below table. E.g. ADDLOCAL=IA,CertsTest.
Feature Name |
Component ID |
Description |
HSCIC Identity Agent |
IA |
Main product feature * |
NHS Certificates for Production |
CertsProd |
Required for production environments |
NHS Certificates for NIS1 |
CertsTest |
Only required for test / development (PTL) |
Once installed, launch the program through the ‘Identity Agent’ icon in the Programs | Identity Agent area of the Start Menu, or on Windows 8.1 / Windows 10 through the ‘Identity Agent’ icon on the Applications screen. Identity Agent will automatically start when the user logs into Windows subsequently.
* If the user is performing a command line installation using the ADDLOCAL option, ensure that “IA” is included along with the required certificates. If ADDLOCAL is not used, by default Identity Agent and Production certificates will be installed.
Legacy setup
The location for registry settings matches that of HSCIC Identity Agent v1 / NHS Digital Identity Agent v2.x and this differs from BT Identity Agent registry locations. Any admin or ‘environment switcher’ type tools will need to be updated to reflect these locations.
Last edited: 31 January 2024 3:13 pm