Carrier FAQs

Behind the Scenes with SignOn Once

What is ID Federation?

• A nonprofit coalition of passionate volunteers who represent leadership from across all sectors of the independent insurance channel.
  

What is the goal of ID Federation?

• To relieve insurance agencies of inefficient, costly and insecure password management.
• To allow participants in the independent insurance channel to conduct online transactions more securely and efficiently.
  

What has ID Federation accomplished?

• Working with the MIT Innovation lab, ID Federation created a trust framework for insurance industry transactions. This trust framework is an agreement among all participating parties for how insurance transactions will be handled — how individual systems and components will function together as well as the security policies and technical specifications that will guide them. For a complete definition of a trust framework, visit makeidentitysafe.com.
• With the trust framework as a foundation, ID Federation created SignOn Once.
  

What is SignOn Once?

• SignOn Once is an advanced technology solution. Each user needs just one password to log into their management system and conduct the day’s insurance transactions with one or multiple carriers.
• It is not an app or product. It’s a set of rules that use existing standards including Security Assertion Markup Language (SAML) and System for Cross-domain Identity Management (SCIM).
• It makes password and identity management problems a thing of the past.
• It gives agencies ease of connectivity with carrier-approved security.
  

What is the SignOn Once process?

• The agency, as the user authority, manages its own users, who may be employees, contractors or others. The agency assigns identification attributes — at a minimum, email address and organizational identifier — to each user. [See Section 3.02(c) Attributes in the SignOn Once trust framework.] The agency management system must be certified as trustworthy. [See Section 1.01(b)(iii), User Authority.] The agency also receives start-up support from their vendor.
• The user is any individual in an agency who has a logon to their agency management system and will access carrier assets for the purpose of doing business. [See Section 1.01(b)(iii) User Authority.] Users are unaware of SignOn Once operating behind the scenes. They just log into their management system daily with their password.
• The SignOn Once provider (usually the agency’s management system vendor) gives each user a unique digital token based on their identification attributes. Behind the scenes, the provider certifies the token for authenticity, and the token becomes the user’s pass to every participating carrier.
• The participating carrier receives the user’s token and is responsible for mapping it to credentials in its system. For example, johndoe@agency.com is user123 at carrier. (If a carrier does not participate with SignOn Once, users will have to continue to login to them individually.)
• The process provides seamless connectivity. With each new participating carrier, the ease and efficiency of the process is multiplied. Password management issues will cease to exist for the agency that does business solely with SignOn Once carriers.
  

Can security be boosted even more?

• Yes. Multi-factor authentication can be incorporated.
• Yes. In addition to the minimum attributes for a user, the agency can assign additional custom attributes. [See Section 3.02(c) Attributes in the trust framework.]
  

Does SignOn Once authenticate or authorize users?

• Authentication means to validate a user’s identity before allowing them access to a system. Passwords are the most common authenticators. Multi-factor authentication (MFA) can include a PIN texted or emailed to a user, biometrics, or other methods to confirm identity. SignOn Once authenticates users.
• Authorization follows authentication. It means to permit a user access to things like databases, websites, or other online sources of information. Authorization is in the plans for SignOn Once, but there are issues to be resolved:
  1. Carriers have a wide variety of requirements.
  2. Roles are necessary for authorization, but the roles of identity providers vary widely from carrier roles.
  3. Third-party products, such as licensing systems, may need to be supported.
  4. Authorization functions are on hold until ID Federation has partners.
     

What is certification, and who needs it?

• Identity providers — usually management system vendors — need to be certified to ensure their process and construction of the secure tokens meets the SignOn Once trust framework requirements.
• The assessment process is specifically scoped to provide a review of security controls against a standardized baseline.
• A neutral outside organization performs assessments.
• SignOn Once identity providers are required to complete an assessment every three years.
  

What does a carrier need to get started with SignOn Once?

• Separate IDs for every user, based on the identification attributes provided by the agency.
• The ability to consume secure tokens from the identity provider.
• The carrier will receive start-up support from a participating vendor.
  

What does SignOn Once cost?

• It’s free for agencies using a partner solution provider such as Vertafore or Applied Systems.
• An optional $250 annual fee gives agencies official SignOn Once membership, allowing them to attend and vote at the ID Federation annual meeting. That membership also signals the agency’s endorsement of SignOn Once.
• Carrier fees are based on premium volume but generally are considered to be nominal given the advantages the carrier receives from its SignOn Once participation.