PeterGresty
commented
5 years ago Would the Spine Proxy not be the best place to do this check and enforce the correct ASID for the ORG?
Closed jonnyry closed 4 years ago
PeterGresty
commented
5 years ago Would the Spine Proxy not be the best place to do this check and enforce the correct ASID for the ORG?
BabarNHS
commented
4 years ago Current Consumer scripts do expect that we check to ensure the SSP From ASID is from the request originating endpoint and not the 'Manufacturer ASID' or fixed value
For consumer systems that are used across multiple organisations, ensure the consumer system is sending the correct ASID in the
Ssp-Fromheader for the organisation that is making the request:https://developer.nhs.uk/apis/gpconnect-1-2-3/integration_system_topologies.html#consumer-system---shared-mhs
https://developer.nhs.uk/apis/gpconnect-1-2-3/overview_release_notes_1_2_3.html#clarify-asid-requirements-and-topologies-for-aggregators
Essentially, consumer systems that are deployed across multiple organisations MUST NOT send a single fixed ASID in
Ssp-Fromall of the time, the ASID must relate to the organisation making the request.