This article describes the use of alternative identify providers for authentication within Black Pear's Core Care Plans app.
By default, Core Care Plans uses Black Pear's BP Auth service (https://auth.blackpear.com) to authenticate users.
Black Pear can also configure services to allow access to users authenticated using third party identity providers. This means that users can login to Core Care Plans using credentials from existing local systems such as an NHS Trust Active Directory and even national systems such as NHS Mail, NHS Login and NHS Identity.
Existing third party identity providers are:
- Somerset CCG SiDER
New Identity Providers can be added on customer request, subject to technical and commercial evaluation.
- include an iss claim.
- include an aud claim so that it can be used in Core Care Plans
- include the sub field to identify the user
- define a user role
- include the organisation at which the user has the role, preferably as an ODS Organisation code
- be digitally signed with a public key available at a JWKS url (https://tools.ietf.org/html/rfc7517)
In addition, a third party system can launch Core Care Plans using a url containing an access token (https://github.com/Somerset-SIDeR-Programme/SIDeR-interop-patterns/wiki/Single-Sign-On). In this case the session will not automatically refresh and therefore this pattern is best used in conjunction with contextual launch.
User roles from the access token are mapped to specific roles in the Core Care Plans service within Black Pear's Warden service
Firstly, Black Pear will evaluate the identity provider to determine whether it is compatible with Core Care Plans and is sufficiently robust to meet NHS requirements.
Secondly, Black Pear will work with the deploying organisation to map roles from the identity provider onto roles within Core Care Plans service.
Finally, the Core Care Plans app will be configured to support the new identity provider so that users can start authenticating!