Ideagen Luminate logo Ideagen Luminate logo
Navigation
Need help?
Send feedback
Sign in
This page does not meet FedRAMP security standards. Please avoid entering sensitive or classified information. Learn more
Learn more
Learn more

Looking for help?

Common queries

View all

Send us feedback

Megaphone illustration

Before you start

This form is for Ideagen Luminate feedback only. Your submission will not receive a response.

Looking for support? Select the solution you need help with and open a ticket with us.
New article Recently updated

Ideagen Policy Logic IdP | SSO FAQ

By Otis Stevenson
  • Last updated
⌘ K
Search this article
Print this article

This article covers a range of frequently asked questions surrounding the Single-Sign On (SSO) service with respect to the Ideagen Policy Logic IdP.

Q: What is Single Sign-On (SSO)?

A: SSO is an authentication method that enables users to securely authenticate with multiple applications and websites by using just one set of credentials (username and password).

Q: What is the difference between authentication and authorisation? 

A: Put simply, Authentication is proving who you are and authorisation is what you have access to.

Authentication is validating who you are. When you check into a hotel, you give your ID and your credit card.

When you log into Ideagen Policy Logic systems, you give your username and password, and if it all matches up, you're authenticated.

Authorisation is what your hotel key card says you can do.

For example, you typically have access to the lobby and to your room but you don't have access to your neighbour's room. Building on this you can go to the gym, maybe even the spa, but you don't have access to the executive lounge.

In the Ideagen Policy Logic system context, your account may have the ability to read policies but not manage or publish them.

Q: Why opt for SSO as an authentication option?

A: Two key reasons, it improves user experience and client security.

User Experience
Managing a unique username and password for multiple products is painful.

Each product has its own unique directory which makes tasks like resetting a password on one like Assurance specific ONLY to that product and does not carry over to another like PolicyConnect.

It is a similar situation to juggling multiple Hotmail/Outlook accounts and their specific login.

SSO allows a single set of credentials to be recognised across all configured products. It also remembers a session for a short period which reduces the amount of times you need to enter your username and password.

Security

SSO can hugely improve security.

It enables IT to deploy security tools like MFA in tandem with SSO, and can quickly oversee user access rights and privileges. 

In addition, an SSO solution from a proven provider should give companies peace of mind through verified security protocols and service at scale. Ideagen Policy Logic currently rely on Microsoft Azure for our own security!

Q: Are account lockouts enabled for failed login attempts?

A: There are no lockouts for failed login attempts currently

Q: Who's responsible for managing users if the client has SSO? 

A: Your IT Person/Team! Once the SSO service setup has been completed, attempting to login to Ideagen Policy Logic products relies on information such as groups. Only they have access to managing your privileges within your organisation's identity solution such as Microsoft Azure. 

Q: Does Ideagen Policy Logic offer SSO across all our products?

A: All of our products can be integrated with SSO. You can find a high-level overview of what this looks like product by product here.

Q: What solution does Ideagen Policy Logic rely on for setup of the configuration?

A: Currently Ideagen Policy Logic relies on a custom in-house IdP Solution for most of our SSO configurations. We are currently in an implementation phase with Auth0 as we seek to transition depending on their leading identity and access management platform for all things SSO.

Q: How can you tell if a site/product has been activated for SSO?

A: The best way to tell would be to confirm with your account manager but for two of our products there is a giveaway that SSO has been enabled.

Assurance - the login page will mention SSO when this has been activated

PolicyPlus - the login bar will be dark grey

Q: How long does the SSO service keep me logged in before I need to re-enter my login? 

A: We are currently implementing Auth0 as our new identity solution for configuring SSO. Initially we are implementing the Auth0 default for access token expiry.

This is considered an upper boundary, as individual identity management providers (e.g. Azure) will have their own reauthentication timeframes which may be shorter than this.

Auth0 default

  • 1 day access token expiry (auto renew as long as refresh token live)

    • This is for our backend service to do the actual validation

  • 30-day refresh token expiry (absolute lifetime)

  • 14-day refresh token expiry (inactivity lifetime)

Each product has its own session length, the custom IdP Tool login has its own session length and third-party identity vendors have their own session length.

Our session lengths for each product include:

  • PolicyConnect - to match Auth0 setup.
  • Assurance - Assurance session timeout is currently 48 hours.
  • Safe Excursions Solutions - both SafeTripBuilder and PlanCheckGo require log-in every time they are launched. 

Q: What are the capabilities of the Ideagen Policy Logic IdP?

A: We rely on a custom in-house IdP Tool for configuring SSO integrations.

  1. We have a SAML configuration pathway usually used for clients relying on Cloudworks, Google Workspace and ADFS which relies on a metadata URL.
  2. We then have a tailored configuration path for Windows Azure AD which relies on an Azure Tenant ID and Consent URL to populate a SAML app for you.

Once the service is configured, the tool acts as a proxy for extending the service to any subscribed to products.

What do you think about this article?

Your feedback helps us improve

More articles in this section

Looking for more help? Ask the Community

On this page