I work for a system integrator that also offers Identity and Access Management systems. Some of our offerings have both modern directory services and SSO and multi-factor authentication solutions with access control policies like SAASPASS. Don’t understand how this deployment would cost 40 million pounds even with IAM consulting and training.
It would be good to see the actual breakdown of the spending as it probably includes other spending as well. If not, then it is questionable spending.
I suspect you don't grasp the sheer size of the NHS. 2.15 million staff (of whom, 1.4M doctors, nurses, and medical specialists), at least 350 hospitals (depending on definitions) ... in terms of employment, this is the fifth largest employer in the world. This isn't about a single, universal, organization-wide SSO system: there are a bunch of systems, and it's a given that many of them are obsolescent, underpowered, legacy systems including exotic or proprietary kit.
Think of it in terms of SSO for an organization the size of the entire US Armed Forces and you'll begin to grasp the scale of the problem.
I think you VASTLY underestimate the size of US Armed Forces in terms of what's required for authentication, authorization, and access control.
US DOD has well over 4 million Active Duty, Civilian Employees, Contractors, etc. Though numbers are hard to pin down, since the number of contractors is in many cases not what is being paid for by the contract (e.g. firm-fixed price, and service based contracts like IDIQ which the contract holder dedicates cleared staff, but otherwise it's hard to know; compared to time-and-material/"butts-in-seats" where numbers are know by the Government per contract).
The US DOD attempted to move everything to MS AD at one point but hit a limitation in the number of objects AD let's you create (~2bn).
It would be good to see the actual breakdown of the spending as it probably includes other spending as well. If not, then it is questionable spending.