How does it work?
An authenticated and authorised user of TPP SystmOne selects a ‘Black Pear Core’ button from within the SystmOne UI. This button has previously been configured by a TPP SystmOne administrator using the URL & Program Maintenance capability within SystmOne.
SystmOne sends a launch request to a Launch endpoint provided by Black Pear.
Authorisation and subsequent access to Black Pear systems is dependent on trusting that SystmOne provides reliable authentication and authorisation AND that this information has been securely shared with Black Pear.
Verification
The launch request is verified before a launch url is issued.
IP address check
The IP address is checked to confirm that the request was received from the HSCN Secure Boundary or the IP address of a recognised NHS organisation. This provides reasonable confidence that the request originated from within a recognised NHS organisation. Whilst sender IP addresses could be spoofed, any response would be sent to the spoofed IP address.
In cases where the NHS organisation is not able to route traffic via recognised IP addresses, additional information is included within the request to allow an alternative check. During configuration a unique source identifier is securely shared between the deploying organisation and Black Pear via a back-office process. The requestor sends the source identifier within the query string of the request. The source identifier is checked against a set of permitted values to provide a degree of confidence that the request originated from within a recognised NHS organisation.
TLS
The launch is encrypted using TLS so that we can have confidence that the information has not been manipulated in transit.
Encryption
During configuration a key identifier, key and initialisation vector are securely shared between the deploying organisation and Black Pear via a back office process.
The request includes a key identifier and launch context.
The launch context in the request is encrypted using AES128 and can therefore be decrypted using a specific key and IV based on key identifier. We can therefore have confidence in the information contained within the launch context (Organisation Id, SystmOne username, User Role Profile Code, Patient NHS Number, Patient Date of Birth, Timestamp). The User Role Profile Code is unique to each user and TPP support have been unable to provide any further information about the value; consequently, it is not possible to use this information to reliably determine the user's SystmOne role.
Timestamp
The Timestamp field is verified against the current time so that we can have confidence that the request has not been replayed.
Response
If the launch request is verified, Black Pear responds to the message with a 302 redirect containing a Location header referencing a contextual launch link including SSO token.
Parameters
The contextual launch link includes parameters derived as follows:
Parameter | Source |
patient | launch request |
birthdate | launch request |
location | launch request |
serviceId | ODS-specific configuration maintained by Black Pear |
access_token | Issued by https://auth.core.blackpear.com |
Access token
Tokens extend the NHS SSP Access Token format, adding requesting_user_name, requesting_user_role claims to support UI and RBAC respectively.
The access token includes fields derived as follows:
Field | Source |
requesting_organization | launch request |
requesting_user | launch request |
requesting_user_name | launch request |
requesting_user_role | launch request |
requesting_system | "TPP SystmOne" |
reason_for_request | "directcare" |
requested_scope | "patient/*.read" |
sub | launch request |
iat | generated |
iss | "https://auth.core.blackpear.com" |
aud | ODS-specific configuration maintained by Black Pear |
nbf | generated |
exp | generated |
jti | request-id |
Vulnerability assessment
Prior to deployment, the Launch Service was independently assessed by WMAS Information Security and Assurance Service. . On 25th July 2022 they reported an overall assurance opinion of Optimal "In our opinion there is a sound system of internal controls designed to ensure that the business is able to achieve its objectives"
0 Comments