CPRD Gateway

The Challenge

CPRD operates several separate online services:

• ERAP - where researchers submit ethics applications for review
• Academy - where users complete training courses and learning materials

Previously, users would need different logins for each service, making it cumbersome to manage accounts and difficult for CPRD to maintain consistent security across systems.

The Solution

The Gateway portal provides:

Single Sign-On (SSO using SAML and Entra): Users log in once to the Gateway and can seamlessly access all CPRD services they're authorized to use, without logging in again to each system.

Centralized Dashboard: A personalized homepage showing all services users can access, with real-time notifications such as you have pending reviews, or courses that require completion.

Access Request Management: Users can request access to services through the portal. Administrators review and approve/deny these requests through a streamlined workflow that is controlled via Salesforce.

Unified Notifications: The system sends emails and text messages for important updates across all services using the UK Government's official notification service.

Secure Identity Management: One place to manage user profiles, passwords, security settings, and access permissions for all CPRD services.

How It Was Built

Drupal was chosen as the platform due to its government approved usage and enterprise grade functionality:

• It has strong security credentials and regular security updates
• Offers granular permission controls for different user types
• Is flexible enough to integrate with external systems
• Has a large community and proven track record in the UK public sector

Key Building Blocks

1. User Management System Rather than building everything from scratch, the team extended Drupal's built-in user system with custom fields to track:

• Which services each user can access
• Approval status (pending, approved, rejected, blocked)
• Special data access permissions
• Connection to external authentication systems

2. Authentication Hub The portal acts as a trusted "identity broker" - when users want to access ERAP or Academy, the Gateway confirms their identity to those systems. This uses industry-standard SAML technology.

3. Service Integration Layer Custom modules were developed to connect the Gateway to external services:

• They fetch data from ERAP and Academy (such as service data)
• Display this information on the user's dashboard
• Send users to the right place to action requests
• Manage the access request workflow

4. UK Government Standards The portal follows official UK Government Digital Service (GDS) guidelines:

• Uses the GOV.UK Design System for consistent look and feel
• Implements required security standards (password policies, two-factor authentication)
• Uses GOV.UK Notify for sending official communications
• Meets accessibility requirements for public services

5. Development Approach The team used modern development practices:

• Modular architecture: Different features built as separate, reusable components
• API-first design: Services communicate through secure APIs, making it easier to add new services in future

Benefits of This Approach

For Users:

• One login for all CPRD services
• Personalized dashboard showing what's relevant to them
• Streamlined access request process
• Consistent experience across services

For CPRD:

• Centralized user management reduces administrative overhead
• Easier to add new services without rebuilding authentication
• Better security through single point of control
• Comprehensive audit trail of user access and activities
• Flexibility to integrate with other UK government systems

For Future Growth:

• New services can be added without major system changes
• API structure allows third-party integrations
• Scalable architecture to handle growing user base

This solution demonstrates how established platforms like Drupal can be customized to create sophisticated, government-grade identity and access management systems that serve specific organizational needs while maintaining security, usability, and future flexibility.