Session management

The NHS login platform does not support user session management and user logout functionality. Both are partner responsibilities.

However, NHS login follows standards set by the National Institute of Standards and Technology (NIST).

Therefore, connected services that use NHS login as an Identity Provider (IdP) and Authentication Service must align to the following NIST standards.

NIST 800- 63C Digital Identity Guidelines: Federation and Assertions (nist.gov) is used to provide guidance around the NHS login use of and operation of OIDC, with further detail within the NHS login External Interface Specification.

NIST 800-63B Digital Identity Guidelines: Authentication and Lifecycle Management (nist.gov) is used to define the Authentication Assurance levels which support the operation of NHS login. Where Authentication Solutions are used alongside NHS login, they should also meet an AAL level of 2.

NIST 80063B also refers to the requirement for reauthentication of the AAL2 service, and a mandatory statement that the session must be terminated when either of the periods below are reached:

• at least once per 12 hours during an extended usage session, regardless of user activity
• reauthentication of the subscriber to be repeated following any period of inactivity lasting 30 minutes or longer.