Same Sign On FAQ

Same Sign On is a password synchronisation solution which allows for the same password to be used to access local workstations, NHSmail services, applications using NHSmail single sign on and Azure Active Directory.

Same Sign On reduces the number of passwords that NHSmail users need to remember. The synchronisation of NHSmail and local Active Directory also unifies the password policy across the two services, reducing the risk of passwords being compromised and improving cyber security.

Yes, passwords that are changed on the NHSmail platform are securely sent to the Local Active Directory and vice-versa.

Both the onboarding guide and ServiceNow form should be completed by local administrators who have a comprehensive understanding of the installation of Microsoft products and experience working with identity solutions such as Identity Lifecycle Manager (ILM), Forefront Identity Manager (FIM) or Microsoft Identity Manager (MIM).

Raise a ticket outlining the information change to the NHSmail help desk (helpdesk@nhs.net)

Currently, Same Sign On only supports one ODS code per organisation. If an organisation’s Active Directory comprises more than one ODS code, the organisation should choose which ODS code will be supported by the Same Sign On solution.

The pre-requisites, outlined on the onboarding guide, are:

1. Installing and configuring TANSync or equivalent identity matching solution
2. Aligning local Active Directly Password Policy with that of NHSmail
3. Notifying local IT Service Desk of the timelines to install the Same Sign On solution and send out relevant communications to users if relevant
4. Planning for the installation of the password agents and the subsequent rebooting of the Domain Controllers
   

An alternative identity synchronisation solution can be used, however, the organisation is responsible for troubleshooting any issues that may arise by mismatches between the local Active Directory and that of NHSmail.

An identity synchronisation solution is necessary for Same Sign On to be installed. If no identity matching synchronisation solution has been installed, IT support teams can find the TANSync installation guides in the NHSmail Support Site.

The local Active Directory password policy must be aligned with the NHSmail password policy. You can find out more through this link.

The Same Sign On tool will need to be renewed bi-annually. To do so, organisations will need to complete another ServiceNow form.

The Same Sign On solution can be uninstalled if no longer required. To do this, your organisation should uninstall the agents following the steps in section 11 of the onboarding guide.

If the new organisation is already onboarded in Same Sign On, the password will be synchronised every time it is changed by the user. Otherwise, the user will have to change their passwords in both platforms separately. In both cases, we recommend waiting 24 hours after the user has been transferred in the Active Directory as replication changes across the state could take some time.

If their previous organisation is onboarded to Same Sign On, the user will need to change their password in order for their NHSmail and local Active Directory accounts to sync.

Active Directory replication changes across the state could take some time and therefore we suggest waiting 24 hours before any password change.

The user would need to reset their password after their account is synced ensure both the password on local Active Directory and NHSmail are the same. The user should wait up to 24 hours before resetting the password to allow for the account to be synced.