Engage with us

The first step to integrating with CIS2 Authentication is to engage with us.

You'll need to:

• apply to integrate with CIS2 Authentication
• register for digital onboarding
• confirm your use case

When you're ready to onboard to CIS2 Authentication, please complete the CIS2 Service Assessment Questionnaire (SAQ).

Completing the questionnaire will help us to understand your use case and assess whether CIS2 Authentication is the right service for you.

What happens next

We'll review your application within 5 working days and contact you regarding the appropriate next steps. We may need to speak to you if we need more information or to clarify your requirements.

We'll add you to our email distribution list, where you'll receive information on changes to the service, feature updates and upcoming releases. Please do not complete any further steps until you've received a response to your questionnaire.

To continue, you need to register for digital onboarding. We'll ask you for the information we need to assess and approve your use of CIS2 Authentication.

If you've already registered we'll let you know, and whether the product you are onboarding to CIS2 Authentication has already been added.

Follow the instructions on the digital onboarding guidance page to:

• register your personal developer account
• set up your organisation and team
• add your product

When prompted to select the APIs or access modes you want to use, you won't be able to add CIS2 Authentication yourself - access is by request only.

Rather, let us know once you've added your product and we'll add CIS2 Authentication to your product and let you know when it's done.

You must confirm you have a valid use case.

You’ll need to give us details of your product and what it does. You’ll also need to explain why CIS2 Authentication is the right authentication tool for your service.

Complete the 'Setup and eligibility' stage of your digital onboarding

1. Sign in to digital onboarding.
2. Go to product onboarding.
3. Select your product - this will open the conformance questions for your product.
4. Complete the 3 sections within the 'Setup and eligibility' stage.
5. Submit the 3 sections for review.

Completing the use case section

Before you submit the use case section you should:

• read and understand the developer guidance
• understand any key dependencies you may have
• have an idea of the number of authentications your users will make
• have an idea of any key dates you need to meet, for example your go live date

Next steps

We'll review your answers within 5 working days and may contact you if we need more information.

It's likely that you already have a plan or target date in mind for completing your conformance with CIS2 Authentication. The steps described in this onboarding guide will help plan your integration.

We want you to achieve your targets, and as each project is different this guidance may not cover all the issues you'll encounter. With that in mind we recommend you share your plan with us as we may be able to offer advice to avoid issues we've seen before.

Your high level plan should include your anticipated dates for:

• starting the conformance process
• submitting your responses to the conformance questions in the digital onboarding service
• testing
• achieving conformance
• your first site to go live

Your plan should include rollout details through to your last site and information that demonstrates how you intend to do so in a controlled manner.

You are expected to give us an idea of the patterns and volumes of user authentications required throughout the rollout process.

Areas to consider

1. Keep things simple to start with - a basic end-to-end authentication can be implemented in a few days.
2. Accessing the userinfo endpoint is required to obtain RBAC data. You will need this if you control permissions within your application or you are integrating with any of the national APIs.
3. Other aspects required for the overall solution, such as session management, security considerations and conformance requirements can now be focused on.
4. If you are integrating with other national APIs (PDS, EPS, e-RS, etc), these are only available in the INT environment so factor that into your planning to enable end-to-end testing.
5. Don't underestimate how long the conformance process may take. We are working with a lot of implementation teams and may have to adjust our response times during busier periods, so please take this into account.
6. Think about which authenticators may be best for your development team, but also what authenticators your end users will be using. The majority of existing users will be using smartcards over HSCN, so consider testing with these if you have access to HSCN, but it's not mandatory.
7. If you are deploying to new user groups, review the authenticators we support as you may find they are a better fit for your use case. Don't assume that smartcards are the only option.
8. Consider how you will deploy your solution to your customers. You may have one instance used by all customers or one instance per customer.
9. Think about how long it will take for you to deploy the solution to all your customers.

CIS1 to CIS2 Authentication migration

If you are migrating from CIS1 to CIS2 Authentication, as part of your solution you need to ensure that you are removing all CIS1 dependencies.

Systems that use CIS1 Authentication may have been around for many years and the touch points for CIS1 Authentication may not be known by the current technical team. We recommend regression testing your current application using one of the other authenticator options via CIS2 Authentication rather than just using Smartcards over HSCN as this will help identify any remaining CIS1 dependencies.

Where a CIS1 token is used to access NHS England APIs, you will need to consider how this changes when using CIS2 Authentication - see migrating APIs from CIS1 to CIS2.

During the technical conformance test we will require you to use one of the alternative authenticators to conduct this test to ensure CIS1 dependencies have been removed.

Next steps

When you share your plan with us we'll be able to:

• make you aware of any dependencies you might not be aware of
• prepare to support you through your journey
• understand your critical path and if we factor into it - typically we're rarely a critical path item

The next step after engaging with us is to design and build your software.