You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: src/session-management.md
+9-8Lines changed: 9 additions & 8 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -3,19 +3,20 @@ layout: base.njk
3
3
title: Session management
4
4
---
5
5
6
-
The NHS login platform does not support user session management and user logout functionality. Both are partner responsibilities.
6
+
NHS login does not support user session management and user logout functionality. Both are partner responsibilities.
7
7
8
8
However, NHS login follows standards set by the National Institute of Standards and Technology (NIST).
9
9
10
10
Therefore, connected services that use NHS login as an Identity Provider (IdP) and Authentication Service must align to the following NIST standards.
11
-
12
-
[NIST 800- 63C Digital Identity Guidelines: Federation and Assertions (nist.gov)](https://gbr01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fnvlpubs.nist.gov%2Fnistpubs%2FSpecialPublications%2FNIST.SP.800-63c.pdf&data=05%7C01%7Cbrendan.plant1%40nhs.net%7C331c3500f34d492d3ff808dad120bb8d%7C37c354b285b047f5b22207b48d774ee3%7C0%7C0%7C638052235748476884%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=YrDvEUd%2FAdQcHwRpprfmxMBgjxb06Eau2v0D4gIK2zc%3D&reserved=0) is used to provide guidance around the NHS login use of and operation of OIDC, with further detail within the NHS login External Interface Specification.
13
-
14
-
[NIST 800-63B Digital Identity Guidelines: Authentication and Lifecycle Management (nist.gov)](https://gbr01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fnvlpubs.nist.gov%2Fnistpubs%2FSpecialPublications%2FNIST.SP.800-63b.pdf&data=05%7C01%7Cbrendan.plant1%40nhs.net%7C331c3500f34d492d3ff808dad120bb8d%7C37c354b285b047f5b22207b48d774ee3%7C0%7C0%7C638052235748476884%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=geXgNSYNrg9LvpDcD8%2BA%2F5tqwDQQTXDkPmixdrexW%2Fc%3D&reserved=0) is used to define the Authentication Assurance levels which support the operation of NHS login. Where Authentication Solutions are used alongside NHS login, they should also meet an AAL level of 2.
15
11
16
-
---
12
+
[NIST SP 800-63C-4 Digital Identity Guidelines: Federation and Assertions](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63C-4.pdf) is used to provide guidance around the NHS login use and operation of OpenID Connect (OIDC), with further detail within the NHS login External Interface Specification.
13
+
14
+
[NIST SP 800-63B Digital Identity Guidelines: Authentication and Lifecycle Management](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63B.pdf) is used to define the Authentication Assurance levels which support the operation of NHS login. Where authentication solutions are used alongside NHS login, they should also meet an AAL level of 2.
15
+
16
+
---
17
+
18
+
## Session Management and Refresh Tokens
17
19
18
-
## Session Management and Refresh Tokens
19
20
20
21
### Definitions
21
22
- Standalone web application - a partner's own independently accessed web application, intended for consumption by users via any web browser (regardless of device type)
@@ -51,4 +52,4 @@ If user-to-app authentication is optional, the application must comply with the
51
52
In addition, the application must carry out a user-to-app authentication check:
52
53
- after 5 minutes of inactivity within the application. The application must make this prompt automatically without user interaction
53
54
- on reopening the application if it has been in the background for more than one minute
54
-
- on reopening the application if it has been closed (regardless of elapsed time)
55
+
- on reopening the application if it has been closed (regardless of elapsed time)
0 commit comments