Troubleshooting Single Sign-On
If you try to enter an incorrect passcode three times, your passcode is locked out.
Unlocking of a Smartcard must be carried out by a Registration Agent (at the CCG) or the Sponsor (at the practice). The Smartcard holder must be present. Users who have forgotten their Passcode or suspect that it may be known by another, or who have been locked out of NHS Applications because of three failed login attempts, should report the problem to a member of the RA Team as soon as is practicable.
In normal circumstances the local sponsor makes changes to or resets the Passcode. Exceptionally Passcode changes may be made by other members of the RA Team.
If you fail to connect to the SSB client and server for the purposes of authentication, the System Error screen displays:
You can either:
- Contact your System Supervisor.
- Retry the connection.
- Select Work Offline, if you do not need to connect to national services. Note - Any changes to patient details do not update the national dataset and may be lost on subsequent connection.
- Select Details for further information. This may, for example, warn there is a problem with your Smartcard reader, and that it may be disconnected from the workstation.
- Check all connections between Smartcard reader and the machine.
If at any time, the link is dropped or does not connect, then the status is unlinked. This displays in Consultation Manager alongside the patient details in the top title bar.
The patient record also displays with (UNLINKED) if after selecting a patient, the local record cannot be matched against a PDS Spine record by NHS Number.
As when working offline, you cannot use any national services while unlinked, nor access records from the Spine.
Access to the National Services is denied if:
- Your current National Role Profile does not allow access to Vision at this practice (see Role Based Access). Contact your Registration Authority in order to rectify this problem. (Computer Misuse Act 1990 - Unauthorised access to a system is an offence).
- You are not currently registered as a Vision user. Contact your System Administrator quoting the Unique Identifier code in order to rectify this problem.
- The user's current role has no rights to any Vision function. The 'It is not appropriate to grant you access rights in your current role. If you have more than one role, you should select a different role before running Vision. If you have no appropriate roles, you should contact your Registration Authority or Practice Manager.' message displays.
If your Smartcard is lost, stolen or damaged:
- Report it to the RA Team at the CCG as soon as is practicable.
- Once notified a Smartcard has been lost or damaged, the RA arrange to have the lost/damaged Smartcard revoked and replaced. In the case of loss or theft, the RA Manager must be informed so that checks may be made to ensure that the Smartcard has not been misused.
- When an issued Smartcard becomes unusable or it is lost or stolen, the Smartcard certificate must be revoked, which renders the Smartcard useless.
- As long as the Smartcard holder’s identity can be verified at a face to face meeting a new Smartcard is issued.
- If there is any difficulty verifying the user’s identity, the user’s Sponsor is contacted and the users identity verified. It is vital that the Sponsor’s identity can be relied upon when contacting them to verify the user’s identity.
When you sign on with your Smartcard, connection to the national services is timed to last a maximum of 12 hours. Just before this period expires a warning displays, and after this period, you are logged out. This is an Spine Security Broker (SSB) setting which cannot be changed by Vision.
Successful SSO login with the Smartcard and PIN creates a "token", lodged with SSB. It may be initiated by a Vision access but is not associated with a particular Vision session. The SSB client controls the validity and persistence of the SSO token.
There are circumstances under which the SSB client automatically invalidates and destroys the SSO token. At the same time the SSB instructs Vision to terminate with immediate effect. Examples of where such a forced shutdown is effected are:
- Token invalidated - The 'Vision was unable to validate your session' message displays:
- Revocation of user rights
- Session timeouts, when exceeding maximum duration, currently 12 hours though this may change.
- The Spine ceases to function
On receipt of a shutdown instruction from the SSB, Vision initiates an irrevocable shutdown sequence.