Same Sign On FAQ

This article contains frequently asked questions about Same Sign On including guidance on onboarding and installing the tool as well as scenario-based questions one may encounter when having the tool installed.

Introduction to Same Sign On

What is Same Sign On?

Same Sign On is a password synchronisation solution which allows for the same password to be used to access local workstations, NHSmail services, applications using NHSmail single sign on and Azure Active Directory.

What are the benefits of using Same Sign On?

Same Sign On reduces the number of passwords that NHSmail users need to remember. The synchronisation of NHSmail and local Active Directory also unifies the password policy across the two services, reducing the risk of passwords being compromised and improving cyber security.

Are passwords synchronised between NHSmail and the Local Active Directory?

Yes, passwords that are changed on the NHSmail platform are securely sent to the Local Active Directory and vice-versa.

Onboarding and Installing Same Sign On

Who should read and carry out actions on the onboarding guide and Service Now form?

Both the onboarding guide and ServiceNow form should be completed by local administrators who have a comprehensive understanding of the installation of Microsoft products and experience working with identity solutions such as Identity Lifecycle Manager (ILM), Forefront Identity Manager (FIM) or Microsoft Identity Manager (MIM).

What do I do if the information I provided on the ServiceNow form changes?

Raise a ticket outlining the information change to the NHSmail help desk (

What do I do if my organisation has more than one ODS code?

Currently, Same Sign On only supports one ODS code per organisation. If an organisation’s Active Directory comprises more than one ODS code, the organisation should choose which ODS code will be supported by the Same Sign On solution.

What do I need to do before I install the Same Sign On solution?

The pre-requisites, outlined on the onboarding guide, are:

  1. Installing and configuring TANSync or equivalent identity matching solution
  2. Aligning local Active Directly Password Policy with that of NHSmail
  3. Notifying local IT Service Desk of the timelines to install the Same Sign On solution and send out relevant communications to users if relevant
  4. Planning for the installation of the password agents and the subsequent rebooting of the Domain Controllers
What do I do if my organisation does not have TANSync?

An alternative identity synchronisation solution can be used, however, the organisation is responsible for troubleshooting any issues that may arise by mismatches between the local Active Directory and that of NHSmail.

An identity synchronisation solution is necessary for Same Sign On to be installed. If no identity matching synchronisation solution has been installed, IT support teams can find the TANSync installation guides in the NHSmail Support Site.

What are the password policies that need to be aligned?

The local Active Directory password policy must be aligned with the NHSmail password policy. You can find out more through this link.


Will the Same Sign On tool need to be renewed and, if so, how?

The Same Sign On tool will need to be renewed bi-annually. To do so, organisations will need to complete another ServiceNow form.

What should I do if the Same Sign On solution is no longer required for my organisation?

The Same Sign On solution can be uninstalled if no longer required. To do this, your organisation should uninstall the agents following the steps in section 11 of the onboarding guide.

What happens to a user’s NHSmail password when they are transferred to another organisation?

If the new organisation is already onboarded in Same Sign On, the password will be synchronised every time it is changed by the user. Otherwise, the user will have to change their passwords in both platforms separately. In both cases, we recommend waiting 24 hours after the user has been transferred in the Active Directory as replication changes across the state could take some time.

What happens if a user moves back to their previous organisation?

If their previous organisation is onboarded to Same Sign On, the user will need to change their password in order for their NHSmail and local Active Directory accounts to sync.

Active Directory replication changes across the state could take some time and therefore we suggest waiting 24 hours before any password change.

What happens if a new NHSmail user is created within an organisation that has adopted Same Sign On?

The user would need to reset their password after their account is synced ensure both the password on local Active Directory and NHSmail are the same. The user should wait up to 24 hours before resetting the password to allow for the account to be synced.

Last Reviewed Date 28/01/2022
Updated on 05/07/2022

Related Articles

Need Support?
Can’t find the answer you’re looking for? Don’t worry we’re here to help!
Contact Support
back to top