NHS Single Sign On: Technical infrastructure challenges

By November 18, 2019NHS, Technology

Marc Poulaud, CTO at Isosec, discusses the key challenges to implementing Single Sign On (SSO) within NHS Trusts. In this first article in our NHS SSO series, Marc highlights the different challenges when it comes to infrastructure within Trusts and how to overcome them. 

Getting fast access securely and seamlessly to NHS systems is fundamental to better, safer care. And whilst no NHS Trusts’ infrastructure is the same, we’ve recognised some of the key challenges within our customer’s environments since we launched our NHS SSO service in early 2019. 

Firstly, let’s look at the different types of Windows Desktop infrastructure, and how NHS Trusts currently use them.


Which Infrastructure is it anyway?

Generally, Trusts use two main types of Windows Desktop infrastructure:

  1. Virtual Desktops (VDI)
  2. Physical Desktops

Irrespective of the type of infrastructure, a user wants to log on as simply and quickly as possible. Additionally, Information Governance (IG) want to ensure they log off simply and quickly to protect patient information. This is where SSO, or specifically tap-and-go can meet these objectives.

Each of these types of infrastructure lend themselves to achieving these two objectives to different degrees depending on the type of clinical user and how mobile they are. The reality is that organisations have a mix of both, which means Trusts have to manage and maintain these different types of infrastructure simultaneously. I’ll now take a dive into the two environments and the challenges around Single Sign On for each scenario. 


Virtual Desktop Infrastructure (VDI) 

Let’s consider a VDI environment and how this works.

A VDI environment is where a user’s Windows desktop is running as a service on an infrastructure that may be located in the Trust’s data centre, or increasingly as part of a third party cloud based service provided by the likes of Microsoft or Google, for example. Some of our customers are having some great success with cloud based desktops which is great for external internet access too. The user connects to their virtual desktop using some low cost terminal device, such as a Dell Wyse terminal or even a Raspberry Pi.

This kind of environment enables NHS staff to be more mobile – they’re able to move from various departments and devices more easily, and access information when and where they need it. However, whilst users may be able to access their own desktop environment easily, they still face the challenge of having to manage multiple login details to access various systems, and getting access to the NHS Spine. For a user to really benefit from SSO, it should enable log on to Windows but seamlessly log on to the Spine too. 


Achieving True NHS SSO

To address the challenges of multiple authentication, and as a long standing provider of NHS secure access and authentication, we’ve created a true Single Sign On solution that will link both to the NHS Spine and Windows AD accounts. Combining the power of our Identity Agent and Virtual Smartcard, our Cloud-based ‘tap-and-go’ SSO solution provides users with rapid access to their desktop without having to enter their Windows username and password. Similarly, with a second tap, the user will be disconnected (not logged out) from their desktop thereby protecting patient information.

The other magic of SSO with Virtual Desktops is the notion of ‘follow-me’ – where this second tap can ‘pull’ the user’s virtual desktop to that device. Such a scenario occurs on an emergency department ward where a clinician moves from one cubicle to the next. This is important to the user as it means their Windows session and all their applications are still running quietly in the data centre, waiting for the user to connect to it and carry on from where they left off – no having to wait for Windows to start, re-launch or re-authenticate all their applications.


Physical desktop challenges

Here, a user’s Windows session and applications are all running locally on one particular desktop the user is sat at. The challenge here is that if a user needs to move to another desktop, the user is forced to close down systems and applications to restart not only the entire login process and re-launch, but also to re-authenticate to all the applications, wasting valuable time.

This might not be a problem for a more static user, but they still want to have a fast log on to that one desktop and IG would want to make ensure they have a fast way of locking or logging off the desktop. Users can still benefit from the SSO tap-and-go in much the same way it does for VDI – in terms of tap-on and tap-off (to lock the workstation during a break, for example).

The adoption challenge – inhouse vs the Cloud

Many Trusts who currently have NHS SSO or want to adopt it face the problem of infrastructure management and debt – the notion that this decision will always be a management and cost burden. Using an in-house appliance for NHS SSO or other services that require some physical infrastructure on-premise takes setup and management and periodic upgrading.

The answer – use a cloud based SSO service. The benefit here is extremely fast adoption and zero management with no debt. A simple SSO client is all that needs deploying just like any other client application.

The deployment challenge – planning for success

It’s worth noting that VDI has some valuable benefits to the organisation – central management of desktops and applications (think Windows 10 upgrades) and low cost client devices (think Windows desktop hardware refreshes). But, this all comes at a cost and like all infrastructures – fail to plan in terms of design (think application testing) and implementation (think appropriately skilled people and processing horse-power) and you’ll plan to fail. Some of our very large customers who use our products in a VDI environment have really done it very well, others less so. Which is why partnership working with our customers and understanding environments early on is crucial, to help you get the best from your investment.


A simpler, streamlined approach to true Single Sign On

By working in partnership with our NHS customers, we’ve always delivered agile, customer driven solutions to help solve the issues for NHS system access and authentication. We’re constantly driving agile improvements into our solutions with insight from our NHS customers. So, if you’re a Trust looking at your approach to NHS Single Sign On and all things authentication, do let us know your thoughts about the challenges you’re facing, we’re happy to help find the best solution for you.


Find out more about NHS SSO and get in touch today.

Marc Poulaud

Author Marc Poulaud

More posts by Marc Poulaud