Security and authorisation when launching from TPP SystmOne

Dunmail -

How does it work?

An authenticated and authorised user of TPP SystmOne selects a ‘Black Pear Core’ button from within the SystmOne UI. This button has previously been configured by a TPP SystmOne administrator using the URL & Program Maintenance capability within SystmOne.

SystmOne sends a launch request to a Launch endpoint provided by Black Pear.

Authorisation and subsequent access to Black Pear systems is dependent on trusting that SystmOne provides reliable authentication and authorisation AND that this information has been securely shared with Black Pear. 


The launch request is verified before a launch url is issued.

IP address check

The IP address is checked to confirm that the request was received from the HSCN Secure Boundary or the IP address of a recognised NHS organisation. This provides reasonable confidence that the request originated from within a recognised NHS organisation. Whilst sender IP addresses could be spoofed, any response would be sent to the spoofed IP address.

In cases where the NHS organisation is not able to route traffic via recognised IP addresses, additional information is included within the request to allow an alternative check. During configuration a unique source identifier is securely shared between the deploying organisation and Black Pear via a back-office process. The requestor sends the source identifier within the query string of the request. The source identifier is checked against a set of permitted values to provide a degree of confidence that the request originated from within a recognised NHS organisation.


The launch is encrypted using TLS so that we can have confidence that the information has not been manipulated in transit.


During configuration a key identifier, key and initialisation vector are securely shared between the deploying organisation and Black Pear via a back office process.

The request includes a key identifier and launch context.

The launch context in the request is encrypted using AES128 and can therefore be decrypted using a specific key and IV based on key identifier. We can therefore have confidence in the information contained within the launch context (Organisation Id, SystmOne username, User Role Profile Code, Patient NHS Number, Patient Date of Birth, Timestamp). The User Role Profile Code is unique to each user and TPP support have been unable to provide any further information about the value; consequently, it is not possible to use this information to reliably determine the user's SystmOne role. 


The Timestamp field is verified against the current time so that we can have confidence that the request has not been replayed.



If the launch request is verified, Black Pear responds to the message with a 302 redirect containing a Location header referencing a contextual launch link including SSO token.


The contextual launch link includes parameters derived as follows:

Parameter Source
patient launch request
birthdate launch request
location launch request
serviceId ODS-specific configuration maintained by Black Pear
access_token Issued by


Access token

Tokens extend the NHS SSP Access Token format, adding requesting_user_name, requesting_user_role claims to support UI and RBAC respectively.

The access token includes fields derived as follows:

Field Source
requesting_organization launch request
requesting_user launch request
requesting_user_name launch request
requesting_user_role launch request
requesting_system "TPP SystmOne"
reason_for_request "directcare"
requested_scope "patient/*.read"
sub launch request
iat generated
iss ""
aud ODS-specific configuration maintained by Black Pear
nbf generated
exp generated
jti request-id


Vulnerability assessment

Prior to deployment, the Launch Service was independently assessed by WMAS Information Security and Assurance Service. . On 25th July 2022 they reported an overall assurance opinion of Optimal "In our opinion there is a sound system of internal controls designed to ensure that the business is able to achieve its objectives"

Have more questions? Submit a request


Article is closed for comments.
Powered by Zendesk