We are looking to enable SSO to our application using users existing @nhs.net details.
NHS Login (NHS login API - NHS Digital) is for the public, so not appropriate. Neither is CIS2 (Apply for NHS CIS2 - NHS Digital) because we’re delivering as a web site so smart card etc is out of scope.
We’ve then discovered the 3rd way of doing SSO - https://support.nhs.net/knowledge-base/single-sign-on-guide/ and contacted the address given there, but they’ve only sent us a live server address, e.g.
hXXps://fs.nhs.net/adfs/oauth2/authorize/?client_id=foo-bar-baz&response_type=code&redirect_uri=https://our.api/callback/url&response_mode=form_post&state=popup&scope=openid email profile&nonce=1686150339308
Is there meant to be some non-live way of testing this ? Ideally without needing a live @nhs.net account ?
It is possible to use your normal NHSmail username (firstname.lastname@example.org) and password to authenticate against other web and desktop applications using SSO, however this is not available for non @nhs.net accounts.
To help me understand the process to date:
Did you complete application authentication form here NHSmail Single Sign-on Technical Guidance (amazonaws.com) and return this completed form to NHSmail helpdesk, for a technical contact to be allocated to deal with your request?
Yes, that’s exactly what we’ve done, but the response is unhelpful because although we now have an app secret etc for the SSO, we can’t test it because we don’t have an @nhs.net address and it’d also be a bad idea for us to test using the live NHS system anyway ?
How is this mean to work ? I must be missing something, surely ?
when you say “…we’re delivering as a web site, so smart card etc is out of scope…”, what information will the website display to your users. Who is going to be accessing the website?
We’re already a HSCN-facing web application with our own login system and want to extend this to “login with @nhs.net” as an option (along with any 2FA that may require).
We’re used by clinical staff to see patient details. But that’s kinda besides the point.
What I asked was how are people testing or doing QA prior to releasing their fs.nhs.net (ADFS SSO) setups - there must be a way of triggering a SAML POST to our system other than using the live fs.nhs.net URL with someone’s borrowed @nhs.net password - surely ?
@nhs.net do not have a test domain, we use live accounts for testing. The live server address shared with you in your earlier post is applicable ( live fs.nhs.net URL.)