Overview
It is a common request for an external system to be able to launch PKB for a given user (whether patient or clinician), without the user needing to manually re-enter their PKB credentials.
...
NHS login SSO solution. This mechanism will allow your NHS login-authenticated users to launch PKB without entering additional credentials, and likewise for PKB's NHS login-authenticated users to launch your external system without entering additional credentials.
PKB's One Time Password (OTP). This mechanism allows users of your external system to link their PKB account such that you are able to launch them into PKB on request by retrieving an OTP from our Custom REST API.
NHS login solution
PKB is working on implementing the NHS SSO model.
...
It is hoped that this design will allow external systems to launch into PKB, and to be launched from PKB.
NHS login with assertedLoginIdentity
We also accept asserted_login_identity tokens as means of authenticating a user. To use this method, the following parameters need to be added to the URL:
assertedLoginIdentity: containing the login identity token.prompt(optional): optionally set to force a login prompt from the user.
The user will be automatically logged in via NHS using the token provided.
OTP solution
Note: these examples are written for http://sandbox.patientsknowbest.com ; replace the URL as needed if you are connecting to a different environment.
...
The external system, or a proxy acting on its behalf, needs to authenticate against PKB on behalf of the user it knows to be currently logged in, and then launch PKB in the correct context.
Initial pairing
A PKB user initiates a workflow on the external system (e.g. clicks a link) that indicates their desire to pair their PKB account with the external system.
...
The external system then stores both of these tokens in a local database, along with whatever identifier the external system uses to identify the currently logged in user.
Ongoing usage
Obtain a One Time Password for the user
...
https://sandbox.patientsknowbest.com/otp.action?otpToken=gnUF6vXCWhZ9QgD4-7s6TE1bSiqfUniw&redirect_uri=%2Fauth%2FpatientSummary.action%3Ftab%3DpatientSummary%26contextUserEmail%3Dpatient@example.com
Data availability check
For some use cases it can be helpful to indicate to the user of the external system whether any data exists in PKB for the patient in context which the user of the external system is unlikely to have seen in their own systems, e.g. data from other organisations.
...
Prevent patient record switching
If an organisation decides to prevent patient switching, professionals using our OTP solution to log in will not be able to navigate away from the patient record that they have launched, or view another patient’s record for the duration of the session. The professional must open each patient’s record in their local system in order to open their PKB record.
To prevent patient switching, an organisation will add an optional parameter in the redirection URL when implementing SSO:
lockPatient. When this URL parameter is set to true, the professional will not see links to the patient search page, to log out and to the help page. This parameter will be propagated to any pages opened from the patient record, e.g. if an image is opened in a new tab.
https://sandbox.patientsknowbest.com/otp.action?otpToken=gnUF6vXCWhZ9QgD4-7s6TE1bSiqfUniw&redirect_uri=%2Fauth%2FpatientSummary.action%3Ftab%3DpatientSummary%26contextUserEmail%3Dpatient@example.com%26lockPatient=true
Once the lockPatient parameter is set to true, it will remain set for the duration of the session.
Organisations may prefer to embed PKB in an iframe in their local system when preventing patient record switching.
More SSO information:
Integration Planning and Testing Support
PKB customer sites:deploy |developer |information governance |procurement |manual
...