How does it work?
An authenticated and authorised user of TPP SystmOne selects a ‘Black Pear Core’ button from within the SystmOne UI. This button has previously been configured by a TPP SystmOne administrator using the URL & Program Maintenance capability within SystmOne.
SystmOne sends a launch request to a Launch endpoint provided by Black Pear.
Authorisation and subsequent access to Black Pear systems is dependent on trusting that SystmOne provides reliable authentication and authorisation AND that this information has been securely shared with Black Pear.
The launch request is verified before a launch url is issued.
IP address check
The IP address is checked to confirm that the request was received from the HSCN Secure Boundary or the IP address of a recognised NHS organisation. This provides reasonable confidence that the request originated from within a recognised NHS organisation. Whilst sender IP addresses could be spoofed, any response would be sent to the spoofed IP address.
The launch is encrypted using TLS so that we can have confidence that the information has not been manipulated in transit.
During configuration a key identifier, key and initialisation vector are securely shared between the deploying organisation and Black Pear via a back office process.
The request includes a key identifier and launch context.
The launch context in the request is encrypted using AES128 and can therefore be decrypted using a specific key and IV based on key identifier. We can therefore have confidence in the information contained within the launch context (Organisation Id, SystmOne username, User Role Profile Code, Patient NHS Number, Patient Date of Birth, Timestamp). The User Role Profile Code is unique to each user and TPP support have been unable to provide any further information about the value; consequently, it is not possible to use this information to reliably determine the user's SystmOne role.
The Timestamp field is verified against the current time so that we can have confidence that the request has not been replayed.
If the launch request is verified, Black Pear responds to the message with a 302 redirect containing a Location header referencing a contextual launch link including SSO token.
The contextual launch link includes parameters derived as follows:
|serviceId||ODS-specific configuration maintained by Black Pear|
|access_token||Issued by https://auth.core.blackpear.com|
Tokens extend the NHS SSP Access Token format, adding requesting_user_name, requesting_user_role claims to support UI and RBAC respectively.
The access token includes fields derived as follows:
|aud||ODS-specific configuration maintained by Black Pear|
Prior to deployment, the Launch Service was independently assessed by WMAS Information Security and Assurance Service. . On 25th July 2022 they reported an overall assurance opinion of Optimal "In our opinion there is a sound system of internal controls designed to ensure that the business is able to achieve its objectives"