Setting up Single Sign On (SSO)

From v2024.1 Care Partner supports Active Directory integration. Having this integration configured allows for more robust security measures to be adopted by Care Partner. A desired outcome is also to allow shared or third party services the ability to manage access to Care Partner a without having direct access to Care Partner’s sensitive information.

For customers looking to implement this feature, please contact us via the Jira helpdesk portal to find out more.

The below technical information provides a brief summary of how this can be achieved.

Technical Overview

To achieve an integration between Active Directory and Care Partner, Imosphere has developed a solution that works as a go between called Atmodentity.

The intention is that there will be one Active Directory group which will house all ‘approved’ Care Partner users. Atmodentity will use this group to authenticate against. Active Directory accounts that aren’t part of this group will not be processed by Atmodentity (e.g. no user or staff member creation).

Atmodentity will be used to handle the authentication of users not the authorisation. Authorisation will be manually handled within Care Partner as per existing local processes.

When integrating Care Partner and Active Directory for the first time, email addresses linked to Care Partner’s ‘staff members’ will be used to link to Active Directory accounts. A one-time email will be sent to the email account to verify the person. The one-time email address is domain configurable to allow through NHS firewall filtering.

Session timeout

Care Partner monitors for inactivity. When the user has not interacted with Care Partner for a period of time the session expires and the user is redirected back to the login page. At this point, if the authorisation token issued when the user supplied their network credentials is still current, the user will be able to just refresh the page and re-enter Care Partner. However, if the authorisation token has expired, the user will be required to reauthenticate.