Looking for developer guidance / documentation on the new CIV smartcard identity agent

This is my first post here so please forgive any absence of protocol.

Many years back i was tasked with allowing our users to login to our product with their NHS identity smartcard; This was a side-quest from our main goal of PDS compliance.

Fast-forward 10 years and I’m no longer actively developing but I still seem to be ‘the guy’ when it comes to our various authentication methods.

A colleague forwarded me an email outlining the move to the new CIV smartcards and associated middleware and I’ve been asked to perform a spike investigation as to whether this breaks our integration.

I can find some general information about this planned move but I’m struggling to locate any hard details around implementation; specifically around two points.

The first point is interaction with identity agent in order to get what used to be referred to as a ‘ticket’ via an assembly named TicketApi.dll. essentially wondering if this is still ‘the way’

The second point is the back channel authentication of that ticket which in turn returns a SAML response while the users session is still active. essentially wondering if this is still ‘the way’

Any advice, pointers or the like most welcome.


This specific area is not my domain but I wondered if any of these would shed some light on the potential differences for you

Apologies if you have them or if they are wrong. We have been wrestling with other aspects of NHS documentation on their APIs which is slightly lacking and in a state of flux especially for their content services data quality.

Good luck, please post the answer here when you find it. We may be required to let the same happen for some of our services one day


Another link Smartcard Authentication | CareConnectAPI

If you currently integrate with CIS1 authentication using the TicketAPI.dll, then you will be able to continue doing this as you have always done (for the moment - see below), and the backend authentication stack has not changed in terms of SAML response etc.
The Identity Agent has supported PIV/CIV card for a couple of years but you should always aim to stay on the latest versions
There is a new middleware for Series 9 smart cards that will be available to download from the WES and available via Microsoft Update.

Any application integrating with the Smart Card via the Gemalto PKCS#11 library (gclib.dll) will no longer work with the Series 9 Smart Card as the use of PKCS#11 has been deprecated for a number of years now. If there is a requirement to perform digital signing with this Smart Card and PKCS#11 is the current approach then, you will need to speak to NHS England to obtain the replacement Digital Signing API.

Also note that the CIS1 auth stack is heading for retirement over the next few years. Applications currently using this should already be looking at moving to the new authentication platform, CIS2 Authentication, which is an OIDC compliant authentication flow, allowing the use of many types of authenticator, including smartcards.