All for One, One for All

“What’s in a name? That which we call a rose by any other name would smell as sweet.”

— Romeo and Juliet (II, ii, 1-2)

At one time in the past, you were obvious to everyone who mattered: business dealings were performed face to face. Today, in the digital age, you must prove your identity time and time again, especially when dealing with sensitive personal information.

What is single sign on? SSO, also known as Enterprise Single Sign On, is the ability for a user to enter one ID and password to log on and gain access to multiple applications and network resources within an enterprise. SSO can also take place between enterprises using a mechanism called “Identity Federation.” Many organizations have sought a solution like SSO, but few have successfully implemented it.

The requirement to manage multiple user IDs and passwords is a problem throughout the Canadian property and casualty insurance industry. Brokers are particularly hard hit by the lack of SSO. Broker management systems (BMS), company portals and information and service providers all require users to sign on.

Multiple sign ons come with various risks and drawbacks, including decreased security and productivity. These will be discussed in more detail below.

A few initiatives are attempting to address these issues. Broker software vendors and companies are working together to allow company portals to recognize BMS credentials. This would allow brokers to sign on to their BMS and access a company portal or make a real-time submission to the company with no additional sign on. Recent Canadian Underwriter articles have discussed partnerships among Keal, iter8 and Unica Insurance.

The same situation applies to information and service providers. Some have partnered with companies to allow their credentials to be used by the company. The broker accesses the company either in real time or through their portal using the service provider credentials. In the real-time example, the broker would authenticate to the service provider, order services during BMS workflow and upload to the company using the service provider credentials. If the company has a portal, brokers can then access the service provider services during portal workflow with no additional sign on. As well, the company only has to recognize and trust credentials from a single source: the service provider. Portage Mutual Insurance, for example, has partnered with CGI to allow brokers and company personnel to sign on to its portal using CGI RapidWeb credentials. Those signing on have access not only to the portal, but can order AutoPlus, MVR and other CGI information services seamlessly during portal workflow.

This industry collaboration shows both initiative and necessity. Lacking clear direction or standards, organizations will do the best they can with what they have.

Federated Identity Management

Single sign on can also take place between enterprises using a federated identity. A federated identity is obtained by signing on to a trusted third-party source. The identity is automatically and invisibly presented, recognized and trusted by partner organizations as an alternative to direct login.

Federated Identity Management involves as many as three parties:

• Identity Provider (IP): The sign on and associated user administration system are typically hosted by a trusted third party called an identity provider.

• Relying Partner: This is an organization that owns software that uses an Identity Provider for identity verification (sign on) purposes.

• Standards Organization: The standards organization is responsible for defining the Trust Framework, which refers to a set of standards, technologies and implementation guidelines. Trusted Frameworks are typically created by industry organizations and formalize interaction between the Identity Providers and the Relying Partners.

For example, a broker acting as a Relying Partner would log on to an industry Identity Provider. The provider will automatically and invisibly provide the broker’s computer with a temporary security token, using identity federation standards such as SAML, Liberty Alliance, WS Federation or Shibboleth.

The BMS would recognize this token and allow access with no additional sign on. The same happens when accessing a company (portal or real time) or an information/service provider’s system. The partner’s software receives the token, checks it and then allows the broker access to the business partner’s system without additional sign on.

Industry standards organizations like the Centre for the Study of Insurance Operations or Acord typically define the “rules of engagement” by establishing industry standards using technical standards such as those mentioned above (SAML, Liberty Alliance, WS Federation, Shibboleth, etc).

Often what happens is that the insurance industry implements its own (de facto) standards, and presents them to the standards body as the basis for industry-wide standards.

The issue of too many sign ons is recognized all the way to the White House. In a real life example of Federated Identity Management, the National Institutes of Health (NIH) will offer the first U.S. government website to allow users to log in using federated identities. Google Inc., PayPal Inc. and Equifax Inc. are the first identity certifiers approved to offer secure access to government Web sites under a new trust framework operated by Open Identity Exchange.

In the United States, an organization called ID Federation Inc.1 is developing a trust framework for the insurance and financial services industry. They are now working with Acord to establish Acord standards for identity federation.2 In Canada, the Organization of Real Time Brokers Implementing Technology (ORBiT) has established a password management committee to examine password best practices and workflows for contact with industry partners.

Single Sign On Benefits

While this article is broker centric, everyone in the insurance industry can benefit from single sign on.

For individuals, the benefits include:

• Improved user security. Users no longer need to refer to easy-to-remember passwords, sticky notes near the computer or other records that allow them — and passers-by — to recall these IDs and passwords. Users will tend to use a more complex password if they only have only one to remember.

• Improved productivity. Users are more productive when they are not bogged down by multiple logins and do not have to remember multiple IDs and passwords.

For organizations, the benefits of a single sign on include:

• Improved system security. Many corporate systems employ hastily implemented, substandard security practices in entry, transport and storage of user credentials.

• Increased regulatory compliance. Organizations can more easily achieve compliance with government regulations (In the United States, for example, there is the Sarbanes-Oxley Act or the Health Insurance Portability and Accountability Act).

• Decreased development cost. SSO provides developers with a common authentication framework. If the SSO mechanism is independent and well-formed, then developers are able to use it rather than re-inventing it.

• Decreased administration costs. When applications participate in single sign on, the administration burden of managing the user accounts is greatly simplified. Also, help desk staff will have to answer fewer requests to reset forgotten passwords.

The Portage Mutual and CGI initiative is a demonstration that single sign on can be achieved. With so many systems, and so little time, wouldn’t it be wonderful if we could sign on once, and be recognized everywhere?

End Notes

1 http://idfederation.com

2 http://www.acord.org/about/NewsCenter/news/Pages/ 20120404_idfederation.aspx