Skip to main content
NHS Care Identity Service 2 path to live process

See information on the NHS Care Identity Service 2 (NHS CIS2) integration environments and our path to live process.

NHS CIS2 environment process

NHS CIS2 user information is derived from the Care Identity Service user directory in the corresponding Spine environment. There are currently 2 NHS CIS2 PTL environments: DEV and INT. These correspond to the equivalent Spine environments of DEV and INT. 

If you are using NHS CIS2 as a standalone authentication service and accessing no other spine resources, then which environment you are utilising is up to you.

However, if you are intending to connect to Spine services, or other services that connect to a specific Spine environment, then you will almost certainly need to use the correct NHS CIS2 environment to ensure that the authentication data such as UUID and Organisation/Role match up with the other Spine resources. 

Care Identity Authentication - path to live environment process diagram


Development (DEV) environments

The purpose of the DEV environment (split into Simple OIDC Realm and Healthcare Realm) is for application providers to develop against and experience the OIDC flows for NHS CIS2. 

The DEV environment contains identity information from the NHS DEV Spine. Users set up using URS on the DEV Spine will automatically be in the NHS CIS2 directory on DEV. 

Simple OIDC Realm

This enables use of the NHS CIS2 OIDC flows with a simple user id and password.

This allows applications that do not yet have smartcards or the means to register users for devices to use a simple username and password to experience the NHS CIS2 OIDC flows. However, it still requires a user to be created in the DEV environment to provide the user id.

Healthcare Realm

The Healthcare Realm on DEV allows authentication using any of the ‘proper authentication methods’. But it does not offer the user id and password functionality of the Simple OIDC Realm.


Integration (INT) and Testing environments

The purpose of the INT environment is for applications to perform integration testing against other Spine resources and other connected systems. It is the natural path to live for any changes to the NHS CIS2 service. 

The users in the INT environment are replicated from its CIS counterpart on the INT spine. Users need to be requested and created in the CIS URS environment for test use. 

INT does not provide a ‘Simple OIDC’ realm. Applications progressing to INT must have shown the ability to use one of the ‘proper’ methods of authentication.


User Management in PTL Environments

Users in CIS are managed by a Registration Authority (RA). The RA is responsible for creating and editing users, assigning organisations and roles, creating smartcards and binding authenticators. In the PTL environments, this is generally handled by Platform Support (platforms.supportdesk@nhs.net)

Users created in one environment will only work in that environment. So a DEV user is only for DEV environments, and an INT user is only for INT environments. You will need to request separate users for each environment. Also note

  • Smartcards are strictly per user (and therefore only work for a single environment)
  • iPads can only be for one user/environment at a time (but can be re-registered for a different user, or a different environment)
  • Windows 10 devices and Cross Platform Security Keys can hold multiple identities (even from different environments). 

For most user and role related requests, your first port of call is Platform Support. The NHS CIS2 team only deal with authenticator binding (see below) and assigning passwords to users for the Simple OIDC realm on DEV. 

Users can be requested from Platform Support via our smartcard request form. You can use these values in your request if you do not have any specific organisation/role requirements:

  • Org Code = A9A5A
  • Org Name = NHSID DEV
  • Role Code = R8015

If you require a smartcard, then Platform Support will mail these to you. If this is your first user for the DEV environment, then be sure to request the User ID (UUID) immediately and let the Care Identity Authentication team (nhscareidentityauthentication@nhs.net) know this so the user can have a password added for the Simple OIDC realm without having to wait for the smartcard to arrive in the post. 

If you require a different type of authenticator (meaning - not a smartcard) binding to your User Identity then please contact the Care Identity Authentication team (nhscareidentityauthentication@nhs.net) once you have your User ID(s). Details on other authenticators are given below, and also on the Ways to authenticate page


Authentication methods in a PTL environment

Whilst most of the requirements for authenticating in the PTL environments is the same as the Live guidance, there are some key differences and configurations that need to be made in order to make it work

Smartcard

Smartcards are issued per user and therefore will only work on a single environment. 

To use NHS CIS2 with a smartcard requires a "bridge" between the NHS CIS2 authentication webpages and the Identity Agent. Generally speaking, the instructions for using a smartcard in the PTL environments are the same as the Live recommendations. However, there are a few extra steps to take, depending on the "bridge method" used. 

Identity Agent

To use a smartcard in a PTL environment, the Identity Agent (IA) needs to be configured to talk to the correct Spine instance. A registry editing tool for the IA exists to allow this to be configured

http://nww.hscic.gov.uk/dir/downloads/index.html#registry_editor - requires an N3/HSCN connection 

Smartcard Authentication "bridge" methods

There are 4 bridge methods - the Chrome and ActiveX plugin should only be used if you know that your users will be requiring them. 

Bridge Method Description
Credential Management Application (preferred)

The Credential Management Application is an additional application that needs installing on the user's machine to provide the bridge between the Javascript in the webpage and the Identity Agent. It is not environment specific, so the generic version can be used. 

See installation instructions

Java Applet The Java applet is downloaded on demand, and will work the same in PTL environments as it does in Live. 
Chrome Plugin

The Chrome Plugin contains an "allow-list" of allowed domains to operate in. This does not include the NHS CIS2 PTL domain suffixes. An alternative deployment manifest is available that will allow this, but it must be "side-loaded" in Chrome developer mode. 

Please contact NHS CIS2 (nhscareidentityauthentication@nhs.net) if you wish to use the Chrome plugin.

ActiveX Control The ActiveX control is can be downloaded on demand if it is not already installed - from https://nww.ebs.ncrs.nhs.uk (e-RS live site, requires N3 connection). No specific configuration is required for PTL environments. However, as per the live site, you will have to add the PTL environment URL to the "trusted sites" in IE

Diagnosing issues with smartcards

The NHS CIS2 smartcard auth diagnostics page is also available on the PTL environments to help diagnose connection issues:

iPad

The iPad app is usually managed and installed by MDM (mobile device management). The device must conform to certain standards. See Organisation and User Technical Requirements for more details. 

Only one user can be bound to the iPad app/device at a time. Any attempt to change the fingerprint authentication after the device has been bound to the user identity will disassociate the device from the user. There is a custom installation for using the iPad application on PTL environments. It is not the same as the Live app available via the app store. 

To install the application, there are two options:

Apple Business Manager

This will allow the application to be available for installation via our iPad application store. To achieve this, we need to add your Business Apple Id to our store. Once this has been done, the application will be available for install on any device managed by that MDM. 

iTunes

It is possible to install the app directly from iTunes, however the MDM method is vastly more preferable.

To do this, you will need iTunes installed on a machine that can connect to the iPad. You will then give us the device Id (UDID) so we can enrol it in our developer account. We will then provide the installation archive (.ipa file) for you to load onto the device via iTunes. 

Please contact NHS CIS2 (nhscareidentityauthentication@nhs.net) if you wish to install the iPad app.

Windows 10 Hello for Business

Windows 10 devices can be "bound" to an identity by a Registration Authority (RA). For a PTL, the RA functionality is usually provided by Platform Support (platforms.supportdesk@nhs.net). However, it may be simpler to request device binding from a member of the NHS CIS2 team who can act as an RA on the PTL environments. 

For this process, you will need a suitable device - it must have a Hardware TPM of version 2.0 and Windows Hello for Business enabled. See Organisation and User Technical Requirements for more details. 

Multiple identities can be bound to the same WHfB authenticator in PTL environments (not in Live). This means that it can also be used on different environments. 

Cross Platform Security Keys

To use a Cross Platform Security Key (such as a YubiKey) you will need to request a device binding (similar to the Windows 10 device above) by the NHS CIS2 Team (nhscareidentityauthentication@nhs.net). In line with NHS Digital security standards, devices and authentication methods should meet the National Institute of Standards and Technology (NIST) SP800-63 Digital Identity Guidelines and should also meet FIDO 2 standards for how devices utilise the required cryptography and must be accredited by the FIDO alliance.

Therefore, only certain models and versions of key are supported and this is on limited release at this time. 

Currently enabled Security Keys in PTLs

  • YubiKey 5 NFC 5.1
  • YubiKey 5 NFC 5.2
  • Security Key By Yubico 5.1
  • Security Key By Yubico 5.2
  • YubiKey 5Ci 5.2
  • Security Key NFC 5.1
  • Security Key NFC 5.2

If the key you have, or wish to use, is not in this list, contact the NHS CIS2 team to discuss your options. 

Multiple identities can be bound to the same Security Key authenticator in PTL environments (not in Live). This means that it can also be used on different environments. 

See the Security Keys section of Ways to Authenticate for more details

Last edited: 1 October 2021 10:50 am