On a few occasions we’ve run into issues logging in to our application via CIS2 on INT as the selected_roleid item is missing from the ID token claim.
Our logs show instances of this happening just now, as well as at the following timestamps:
Is this a known issue? It makes it very difficult to troubleshoot issues in production or develop new functionality when this occurs.
Hi Felix,
selected_roleid isn’t always populated in the response - it depends on whether the user selected a role or not, which in turn depends on whether you specify the selectedrole scope.
For details, see https://digital.nhs.uk/services/care-identity-service/applications-and-services/cis2-authentication/integrate/design-and-build/role-selection.
Hi Tony,
We always specify the selectedrole scope, and on these occasions a role was selected in the identity agent.
Hi Felix, I would need the UID of the user to confirm, but there was a successful authentication at 20:44:15 on the 9th which included the selectedroleid claim. Can you DM the id_token you get back from CIS2 Auth when you see this error
Have sent two instances over, thanks
Hi @john.lister3, have you had a chance to look at the logs?
HI Felix, I’m assuming it doesn’t always happen and is specific users? It looks like there is a synchronisation issue between the data in CIS1 (ie the smartcard) and CIS2, this is rare, but can happen for various reasons especially in our test environments . Can you raise a support ticket via service now to re-sync the users involved.
Hi John,
This doesn’t always happen but frequently happens out of hours as shown in the logs, and therefore is disruptive when trying to troubleshoot an issue on prod or develop new functionality.
I will raise tickets as and when this happens in future, but ideally the root cause should be addressed so as to make INT a stable environment to develop and test on, particularly given the upcoming changes to A&G.
The users are either in sync or out of sync (for historical legacy reasons) - we have processes in place to ensure they remain in sync and treat INT as stable. Once the profiles are in sync, you won’t see the issue again and it is unlikely that the profile will become out of sync again - if you are seeing different behaviour for the same profile at different times, then we would definitely need a ticket to investigate as this is not expected behaviour. Bear in mind that INT doesn’t have any SLA in place and whilst we endeavor to ensure it is stable, is a test environment without the usual production controls in place
Hi John,
I have seen the behaviour differ for the same profile at different times - the same accounts that experienced the issue at the timestamps provided are able to log in fine currently. Can you please raise a ticket to investigate?
Hi Felix, you would need to raise a ticket via NSD on Service Now - can you include the UID, the id_token you have. We are then able to start an investigation.
Can you also include a screenshot of the role selection page in the Identity Agent where you see the issue.
The issue is caused by the role stored against the smartcard not matching the information CIS2 holds and is likely a historical sync issue - we can fix the issue by syncing the profile or you can trigger a sync by changing the roles, etc
On the 9th the role selected was 555273188106 (Medical Consultant) which does exist in CIS2 Auth
Will do, thanks.
I have an unrelated issue with the eRS API which I raised a ticket for last week and was eventually told to post on this forum about as it required a developer’s attention – is there any guidance as to where requests should be directed? I assumed specific issues should be raised via tickets as you’re indicating here, but the service desk told me otherwise.
Sorry John, I’m not clear re next steps after you edited this message. Myself and colleagues have experienced this issue multiple times. While it is not currently happening to myself or my colleagues, when it does happen, it happens to all of us simulateneously.
Should I be raising a ticket about this now or next time it happens? You previously said “if you are seeing different behaviour for the same profile at different times, then we would definitely need a ticket to investigate as this is not expected behaviour”, and that is exactly the case, but I cannot take a screenshot of what the identity agent showed several weeks ago.
@Felix_Michaux this is the place to post an issue regarding e-RS in INT - can you post a seperate message on here so it doesn’t get mixed up in this one - if it’s a production issue you should use the national service desk
The behaviour I can see from the logs is that a user will get the role ID depending on the role selected in the IA. If it is repeatable (which it appears to be in your use case) can you share details of the users experiencing the issue, the ID token they are given and the roles shown in the IA - the latter allows me to determine what is presented to you as a user.
The issue is because CIS2 stores a copy of the primary data, historically this wasn’t always kept in sync in the INT environment due to known issues with the replication process that should have now been resolved. Where there is a mismatch, we would manually sync the records on demand. We match the role ID from the smartcard session to the CIS2 data and if there is no match, we cannot return any information - in the case of the user above, there are 2 roles; one matches and will be returned, the other doesn’t.
I can sync the user manually, which will then return the value for both roles, but this requires a ticket to action, the additional information will help to determine if this is a known legacy issue (the profile doesn’t look to have been modified for a while) or a new problem.
