Re: Potentially a good idea, but...
I work for a company that implements technology solutions for the NHS. These are usually large scale clinical systems, and each might cater for hundreds of thousands of patients and upwards. My job is to design the integration of such solutions with trusts’ and hospitals’ systems, with a focus on designing security into every layer.
It’s an almost impossible job sometimes, to name a few reasons - NHS networks are full of old, unpatched kit, proprietary medical systems and passwords on post it notes, and everyone is very busy. The biggest problem, though, is that there is no common standard for the architecture and function of NHS authentication systems. Nearly everywhere uses AD for core authentication functionality, but that’s the only common factor among NHS environments. Across the trusts I have worked with (dozens) there is every imaginable combination of the presence or absence of: ADFS, multiple domains and forests, just one flat domain, a central resource domain for user objects, various AD trusts, every AD functional model and combination of DC OSes imaginable, Kerberos delegation is often allowed but often blocked. On top of that Kerberos authentication is sometimes disabled as a system can only use NTLM, but that policy is applied to the entire domain! NLA is often blocked domain wide as there are still Windows XP machines in some places, random GPO security settings are configured all over the place, and change control is often non-existent. Multiple schannel cipher suites are frequently blocked because 10 years ago they had to get an old system to work, domain admins are all over the place – many left ages ago but aren’t disabled in AD, password policies are often absent, or frankly laughable and staff share logins.
This isn’t to slag NHS IT people off – many are very, very good technically and extremely committed. Every IT dept I have seen is diligent and works really hard, but they don’t have the resources to look after the fundamentals.
There is no way on God’s green earth that £40 million is going to fix this. Getting SSO to work is possible but very hard, time consuming and expensive. Every implementation is different and may require a complete overhaul of the design and much work for the trust, application code changes are often required too. There is also the worry that your application is at risk because you are trusting the AD security of an under-funded, old, unpatched, on its last legs infrastructure that is not subject to change control, with the keys to the data which it is your job to keep safe.
Matt Hancock does not have a clue. Without massive, widespread investment and standardisation and agreed vendor standards, SSO is cloud cuckoo land.