Single Sign-On

Overview

Single Sign-On (SSO) is available for use by Sagitta Online agencies. SSO allows your users to access Vertafore applications that support SSO, all without requiring a separate login.

SUMMARY OF SSO PROVISIONING AND PROVISIONING PREP

  • The preparation process for SSO provisioning is intended to verify that each user being provisioned has an email address in Staff Codes, and that this email is unique from all other users—including any users that will not be provisioned. Provisioning will not work without a unique, valid email address.

  • Provisioning a user is an activity performed on the Sagitta Authentication Management page.

  • The user will receive an email invitation from Vertafore SSO, which includes steps the user must follow.

  • After following these steps, the user is now provisioned and invited to log into Sagitta using the registered email address plus the new password derived from a link on the Sagitta login page.

Login changes after SSO Provisioning:

Once a user is provisioned for SSO, the user's ID and password will be changed, along with the way in which the user logs into Sagitta.

Preparation is required before SSO provisioning is started

For additional information on managing users and products in VSSO, please refer to the articles listed below, plus any related Help topics. These resources will be helpful if you plan to use (or are already using) TransactNow and WorkSmart.

Add Sagitta Authentication Management in Role Based Security

  1. Go to Role-Based Security (Other > Personalization > System).

  2. Enter the role to add the new page to in the "Role-Based Security Code" field.

  3. Select a menu to add the new menu item to, or use the "Quick Entry Section." NOTE: Using the Quick Entry Section will add it to the System > Personalization > Client/Staff menu.

  4. Enter SSO.USERS.DISPLAY in the "Program" field.

  5. Select a value in "Access."

  6. Click Save when finished.

Review Users

On the Sagitta Authentication Management page, review your users’ email addresses as they are listed in the Email Address column, as well as the names listed in the Staff Name column. To view users, enter the appropriate search criteria in the fields at the top of the page and then click the Select button.

Each user employing SSO should have the following elements:

  • A unique email address

    • If using other VSSO-enabled applications, such as WorkSmart, make sure this is the same email address used elsewhere. It is best to use the employee or business email.

  • A valid name

    • Accepted suffixes include the following: Jr., Sr., I, II, III, IV, V, VI and Esq.

Users who do not meet these criteria must be edited in the Staff Codes maintenance page.

Using SSO with Other Vertafore Products

If you are using other Vertafore products that employ VSSO (such as WorkSmart or TransactNow), the email address for a given user must be the same across all products. One's email address is a unique identifier for everyVertafore product that uses VSSO.

If you reset the password for one VSSO-enabled product, this same password should be used for other VSSO-enabled products. For example, if you reset the password for a WorkSmart user and are later prompted to re-enter your credentials when using Single Sign-On in Sagitta, that password will be the same as the WorkSmart password. This is because, across the two products, the same user is being logged in.

Once a user has been personalized to use Vertafore Authentication, they should complete the process by logging into Sagitta using the Sign in with Single Sign-On link on the login screen. If they do not complete this process, they will be able to log into Sagitta, but will not be able to use the WorkSmart v7 links until they have logged in with Single Sign-On. Additionally, Single Sign-On users should be logged in when launching WorkSmart links from WorkSmart to Sagitta.

If a Single Sign-On user’s email address must be changed, change the email in Sagitta, specifically on the Staff Code Maintenance page

Users Not Set to Single Sign-On

Some users should not be set up to user Single Sign-On, mainly because they need to use Sagitta credentials to function properly.

Examples of users who should NOT be set to use Single Sign-On:

  • Logins used for Sagitta Web Services, e.g., home-grown applications that use these Web Services

  • Sagitta Login specified in the Sagitta Server Configuration for the Sagitta Real-Time Integration in BenefitPoint

  • Unattended Download user

  • ImageRight Integration user

  • Sagitta Live Sync user for SagittaConnect

  • Users for Vertafore Customer Support

Provisioning Users Using Sagitta Authentication Management

  • All users to be provisioned must have an email address added to their Staff Code on the Staff Codes Maintenance page. The email address must be unique to that user.

  • Go to Sagitta Authentication Management (Other > Personalization > Client/Staff)

  • Use the selection criteria at the top of the page to display one user (e.g., use Staff Code or User ID), or more than one user (e.g., use Division, or Division and Department, etc.)

  • Click Select. The users will be displayed in the grid

  • Click to select a user or, Ctrl or Shift and click to select multiple users

  • Click Set SSO Authentication Method. In the "Authentication Method" column, the selected users will change from Sagitta (the default) to Vertafore

    • After the users have "Vertafore" in the Authentication Method column, if they are a new user they will receive an email to set up their credentials for Single Sign-On. Existing Vertafore VSSO users will not receive this email.

    • A user will not receive an email if they already use other VSSO-enabled products. If so, they can log in with those credentials (or reset them, if they forgot the details of that login).

  • Immediately after a user is set up to be Vertafore-authenticated, they will still be able to log into Sagitta.

  • After a user has signed in with Single Sign-On once, they will no longer be able to log into Sagitta with their Sagitta credentials. They must instead use Single Sign-On, and their old Sagitta username and password will no longer work.

Provisioning a user from Sagitta to Vertafore is a one-time change; users cannot be changed back to Sagitta authentication.

Potential Single Sign-On Errors

  • If a selected user does not change to Vertafore, make note of any errors that appear on the page and contact Vertafore Support.

  • Accepted name suffixes include: Jr., Sr., I, II, III, IV, V, VI and Esq. All other name suffixes will fail.

  • If there are two or more users with the same email address, provisioning will fail for those users, whether the other user with the same email is selected or not.

After a user is provisioned, the user should click the link on the Sagitta login page that reads "Sign in with Single Sign-On."

The Vertafore Single Sign-On page will be displayed:

Enter the provisioned user's email address and password, and then click Log In.

For Single Sign-On users, the "Log Out" button has been replaced with an "Exit" button.

By clicking on "Exit," you will be directed to the following landing page:

Clicking the here link to log back into Sagitta will log you back into Sagitta. You may not be prompted to sign in with Single Sign-On again and could instead be routed back to the Sagitta Home page.