Changes to the Detailed Guidance
This section provides a summary of the changes made to the detailed guidance since it was first published.
| Date | Description |
|---|---|
| 17 Aug 2020 | The Registration, Client Authentication and Key Rollover sections have been updated to reflect that the NHS Identity OpenID Provider now supports the Client Secret JWT and Private Key JWT client authentication mechanisms. Relying Parties wishing to use Private Key JWT mechanism should pay particular attention to the description of how they should perform key rollover. |
| 17 Aug 2020 | The TLS Requirements has been updated to include a list of ciphersuites recommended by the NHS Digital Security Team. |
| 04 Dec 2020 | Added clarification that NHS Identity only current supports Confidential Clients. |
| 06 Jan 2021 | Additional claims added to nhsPerson and professionalmemberships. |
| 06 Jan 2021 | Back Channel Logout - added new claims to idToken and BCL guidance section. |
| 31 Mar 2021 | Back Channel Logout - added IP address ranges for firewalls. |
| 19 Apr 2021 | Name of service revised from NHS Identity to Care Identity Service 2: Care Identity Authentication known as CIS2 or Care Identity Authentication. |
| 21 Apr 2021 | PTL domain names updated in examples. |
| 30 Apr 2021 | Clarified that the Back-Channel Logout mechanism is triggered when a smartcard session expires. Added recommendation on applications implementing their own single user session restriction. Advised on firewall settings for Relying Party JWKS Endpoints. |
| 07 May 2021 | Clarified that Signed UserInfo Responses do not currently contain an aud claim but may do so in the future. |
| 26 May 2021 | Added emphasis on implementing CSRF protection. |
| 25 Aug 2021 | Additional guidance added on how to use the auth_time claim to protect against request manipulation when using a prompt=login or max_age parameter. |
| 22 Nov 2021 | Updated the description of the Back-Channel Logout mechanism to reflect the fact that the limitations of the initial implementation have been removed. |
| 16 Dec 2021 | Added a clarification that the NHS CIS2 Authentication Access Token can not be used with the Spine RESTful APIs. |
| 25 Apr 2022 | Added suggestion to use polling to improve Back-Channel Logout user experience. |
| 15 Jun 2022 | Revised guidance for Client Authentication JWKS Key Rollover - now seamless. |
| 22 Aug 2022 | Revised guidance for Client Authentication - the recommended method is now private_key_jwt. |
| 30 Aug 2022 | The use of prompt=none with an acr_values or max_age parameter is now permitted. |
| 28 Sep 2022 | Guidance added on how to select and change Role. |
| 17 Oct 2022 | Modified guidance on the use of HTTP response codes with Back-Channel Logout. |
| 18 Jan 2023 | Additional information about supported algorithms for client authentication by private_key_jwt. |
| 02 Feb 2023 | Added a reference to Back-Channel Logout in the Registration section. |
| 24 Feb 2023 | Added Native Applications guidance and changes to Session Management regarding session quota limits |
| 20 Mar 2023 | Clarification of Back Channel Logout response codes |
| 24 Apr 2023 | Revised Signed Userinfo validation to include the aud claim. Clarification on https for BCL url |
| 10 Aug 2023 | Addition of idassurancelevel to the ID Token |
| 08 Sep 2023 | Minor clarifications and readability changes around Client Authentication, ACR Values, Security Considerations (CSRF) |
| 18 Jan 2024 | Revised idassurancelevel claim in idToken to id_assurance_level. Added guidance for authentication_assurance_level |
| 17 Apr 2024 |
Revised ACR and AMR values for AAL2 use case. Clarification of authentication_assurance_level check replacing ACR prefix check. Clarification of limited SSO use via max_age |
| 15 May 2024 | Native applications moved to other guidance section. |
| 6 August 2024 | Updated guidance to explicitly specify that CIS2 Authentication uses dynamic IP addresses for inbound traffic. |
| 21 August 2024 | Updated guidance to detail issues with Azure Frontdoor and intermediate proxies. |
| 28 August 2024 | Updated guidance around selecting roles with non-smartcard authentication and the Internet Identity Agent. |
| 5 February 2025 | Updated guidance around ACR and AMR values. |
Last edited: 5 February 2025 2:17 pm