Leaving the Legacy Platform Behind

The first version of the NHS Leadership Academy used the Ruby on Rails framework, with other functionality imported from third-party e-learning and CRM platforms. Single Sign On (SSO) was absent, because as Vardhan explained, it proved challenging to integrate with other applications. 

“As it aged, it became harder to maintain. It didn’t follow any of the industry authentication and authorization standards. We found it tough to integrate the vast suite of applications and sites that comprise the NHS Leadership Academy,” she said. 

This was a serious problem. Throughout England and Wales, the NHS is organized across more than 200 “trusts.” These are responsible for delivering services in a given area and enjoy a high level of autonomy in the technology they use.

“Every NHS trust is different and there’s a lot of legacy technology at play,” she said.

For the rewrite, the NHS Leadership Academy standardized on the popular Laravel framework. As most of the other frameworks used in the Academy were written in PHP, it made sense to pick a PHP framework for the core application.

Laravel offers advanced authentication features, including Microsoft Active Directory (AD) compatibility. These were extended with the Auth0 platform, helping them secure long-term scalability and improve developer efficiency. 

Faster iterations and less maintenance

As a public sector organization, the NHS vets all prospective purchases to ensure security, value-for-money, and compatibility with existing tools. The path of least resistance is always to pick a pre-approved product. Despite these challenges, the NHS Leadership Academy had a solid business case to procure Auth0 as its new identity provider.

“You have to make a formal business case. This is good governance, but it’s time-consuming. We created user stories and cost-benefit analyses showing what we’d do with the product and accounted for every penny. It was a lot of work,” said Vardhan. 

It took five months to get the green light to procure Auth0, but it was worth the wait. In the years since its deployment, the NHS Leadership Academy team has already seen tangible benefits. They can dedicate more time on the core product, while spending less time on maintenance. 

“We wanted to leave authentication to an IDaas platform. Identity is complicated. It simply isn’t something we handle on a day-to-day basis. Auth0 had all the features, tooling, and security assurances that we needed,” Vardhan said. 

“Now we can iterate our product regularly. Our team can devote their time and energy to the development of our core products and services. We don’t have to worry about identity,” she added.

Reduced support calls, improved developer happiness

From day one, Auth0 allowed the NHS Leadership Academy team to accelerate their timelines and implement advanced authentication systems. 

“Auth0 makes it so easy to handle authentication. The APIs are well-built. It has libraries for all the frameworks we use. It’s so incredibly developer-friendly,” said Vardhan. 

“Our DevOps engineers were quite happy to onboard Auth0. It made it so easy to integrate new apps into the core product, build custom authentication flows, add branding, and migrate accounts from our legacy platform. We’ve also seen a gradual decrease in support calls [about access] and a reduction in the time it takes to reset passwords,” she added. 

The NHS Leadership Academy has also taken advantage of several advanced features within Auth0. It added self-service mechanisms, allowing users to manage their accounts without needing to contact IT support. 

In the coming months, it plans to introduce other advanced Auth0 functionality, including breached password detection, which alerts when a user’s password appears online. 

The NHS Leadership Academy also hopes to introduce passwordless authentication in the years to come, although admits this is a long-term aspiration. “We’re looking at cultural change considerations to help people find new ways of working. We have to do things slowly and steadily,” Vardhan said.