Allowing domains in Care Identity Service

To be able to access the newer, internet-facing parts of the Care Identity Service, the user must be able to access these required domains:

• CIS2 Authentication - https://am.nhsidentity.spineservices.nhs.uk
• Credential Management - https://trustedurl.national.ncrs.nhs.uk
• Care Identity Management - https://manage-care-identities.care-identity-service2.nhs.uk
• the domain of the service that the user is trying to authenticate into

If you are using a smartcard with the current Identity Agent (v2.x.x) to authenticate with the CIS2 Authentication service, your users must be able to access HSCN endpoints. This is found on https://gas.national.ncrs.nhs.uk/

Be sure that the domains above are authorised by the proxy service, and that they are not trying to route the domains via their service. Go through step by step - for example check all the firewall rules, antivirus rules, and any other relevant web security software. 

Note: only add the domains as written above. Do not add IP addresses as they are not static and will change.

If your users are connecting to your organisation network from a home network using a VPN, they will need either:

• a split tunnel for the internet addresses on their home network and CIS2 Authentication on the VPN (for HSCN)
• all traffic routing through your trust network, and the internet domains reachable from your organisation network