llVertafore Single Sign-On (VSSO) Release Notes

Password expiration moved from a per-customer setting to a global setting across VSSO products, currently set at 60-days. This means that all global users need to reset their passwords every 60 days. Customers may use MFA for additional password security.

We want to remind all admins of the upcoming changes to VSSO (Vertafore Single Sign-On). During our regular maintenance window on the evening of September 4, 2020, we will be upgrading the VSSO login experience as well as improving security settings within the application. No additional action is required by customers with this change.

How will you be impacted?

• The login experience for Vertafore solutions through VSSO will look and feel different.
• On the login screen, you can log in, recover your password, or change your password.

 
Login Screen

• When logging in currently, the user goes to their product login such as www.ams360.com or https://rating.vertafore.com. That login will redirect to the new VSSO login page just like it did with the old VSSO login page. If a user needs to go directly to VSSO (outside of a product), they should use the same URL as in the past > https://vim.identity.vertafore.com/VIM/. For those agencies that restrict access to URLs, you may need to add login.apps.vertafore.com to the whitelist if users report issues getting to the VSSO Login page.
• All previous security questions utilized during password resets will be removed from the application. Vertafore will transition from security questions to email verification to create additional security for our customers by using an additional distinct factor to confirm an end user’s identity. This helps customers to align with industry standards regarding the use of different factors such as something you know compared to something you have. Additionally, security questions are often repeated by different services and typically contain personal information. By changing to an email confirmation, it provides the benefit of reducing the amount of personal information that a company retains for security questions.

Vertafore is committed to educating you on these changes before they occur, as well as helping you to understand how they may impact you and your business, so you can continue to focus on serving your customers.

We encourage you to share these updates with your team members. If you have any questions or need additional assistance, please reach out to Vertafore Customer Support through MyVertafore or by calling 1.800.444.4813.

• We will no longer use Security Questions

• Password Resets will now use an email confirmation flow

1. If you forget your password, click on Forgot Password.

2. When prompted, enter the email associated with your login and click on Send Request. When you click Send Request, you receive will an Account Recovery message.

• Password reset emails are valid for 12 hours

Forgot Password

Account Recovery

Reset Your Password Message

3. In your email inbox, you will see a new email from Vertafore. You will then Click here to reset your password.

Vertafore Email

4. You will be redirected back to the reset password page at which point you can enter and confirm your new password. Click on Reset when you are ready.

Reset Password

5. Your password will be reset, and you will be presented with the following Success screen. Click on Continue and you will be redirected back to your applications login screen, enter your credentials and your application will load.

Account Recovery Success

• The Change Password function will allow you to change a password you know to a new one.

1. To change your password, click on Change Password. You do not need to enter email on the first screen.

Change Password

2. When prompted, enter the email associated with your login and your current password at the top. The password policy can be seen by clicking the arrows on the screen to show and hide the policy.

3. When ready, you can enter the new password and confirm it. If you click on Submit, the password will be changed, and you will get a success screen. Click Continue to be directed back to the login screen for your application where you can sign on with your new credentials.

Password Requirements

Change Password Success

• When you login and your password is within the expiring limit, currently three days, you will get a warning:

Password Expiring

• You will have two Options:

  • Change the password now and you will go through the Change Password flow and be directed back to your application afterwards. If you click on cancel during the change password flow, you will get the warning again the next time you login.

  • Click Change it later and the warning will snooze and not prompt you again for 24 hours.

• Login Behavior

• Multi-Factor Authentication (MFA)

• Usernames and passwords

• Password Expiration Policy

• Frequency on how often you can change your password

Q: What happens when you enter your password wrong three times in a row and get locked out? Will you still be locked out for 15 minutes? What happens after the 15 minutes?

• A:Yes, this is unchanged and will remain at 15 minutes.

Q:Will the new user emails expire?

• A: Yes, this will be unchanged, and these emails expire in two hours. Follow the standard process for asking for a new user email.

Q: Will password reset emails expire?

• A: Yes, the self-service email for forgot password form the logon screen will expire in 12 hours. You will need to re-request a new one from the logon screen.

Q: Will login activity still be shown on the VIM Admin activity screen?

• A: Yes, it should be the same as this information comes from VIM Database.

Before

Some of the drop down list in VSSO are too small and agencies could not see the full name of the product they needed to Provision.

Now

We increased both the size of the product box and the add product drop down lists so the full product name is visible

Before

You had to add users one by one in VSSO.

Now

You can import a list of users into VSSO.

Under Manage Users there is now a tab for User Bulk Upload. You will see instruction on how to do this right on the tab. It is simple. Download the template, enter in your users, then upload the csv file.

If you are in the process of doing a merge through Professional Services a Vertafore, please check before doing this.

Before

There was no way to see a list of products users had access to.

Now

This report will show you the products that users have access to in VSSO.

Under the My Organization page there is a Product Access Report available for download.

Before

To add or remove a user's access to a product, you had to go to the Product Access tab for each user.

Now

You can manage all of the users that have access to a product from the Manage Products tab. Click the Manage Products tab, click a product, and then click the Product Users tab.

Before

The Activate VSSO and Deactivate VSSO buttons were displayed at the top of the Manage Products > VSSO Status list.

Now

The Activate VSSO and Deactivate VSSO buttons are displayed at the bottom of the Manage Products > VSSO Status list, consistent with other areas of the user experience. Besides their new location, the buttons work exactly the same as before. You must select users in the list before the Activate VSSO and Deactivate VSSO buttons can be used.

Before

When adding or managing multiple instances of the same product, it could be difficult to determine which instance of a product you were selecting because the Instance ID was not displayed, or not fully displayed.

Now

When you hover your mouse over any product, in any area or dialog of VSSO, the Instance ID is always displayed in the tooltip.

Before

VSSO accounts that have not been used for more than 90 days are automatically set to a “disabled” state. Disabled accounts cannot be used until a VSSO administrator with full admin rights re-enables the account.

Once re-enabled, the user had to use their account to sign in prior to midnight on the day the account was re-enabled. If the user could not sign in within that timeframe, the account was automatically reset to a "disabled" state at midnight.

Now

Once re-enabled, a user must use their account to sign in within 24 hours. If the user cannot sign in within that timeframe, the account is automatically reset to a "disabled" state.

Before

When creating a new user, VSSO would always send the enrollment email immediately after you click Save.

Now

Administrators have new options for controlling when a new user receives their enrollment email.

• Now - sends the enrollment email immediately after you click Save.
• Date - sends the enrollment email on the date you specify.
• At Product Provision - sends the enrollment email as soon as a product is added to this user's Product Access tab.

Before

Users has no visibility into product sessions associated with their VSSO account.

Now

Users of third-party applications that make use of Vertafore's Developer APIs can now see any active product sessions associated with their VSSO account by clicking the External Product Sessions tab. This tab is visible to all user regardless of role. Users can use this tab to kill any unwanted open third-party product sessions.

Before

When you'd create a new VSSO account, or when you'd reset a user's password, the user would receive an email that contained an activation code. They'd need to enter this code before they could activate their account or reset their password. Emails from VSSO were sent in plain-text format.

Now

Users will not be asked to enter an activation code when new VSSO accounts are created, or when you reset the password on an existing account. Users will still need to answer security questions. In addition, emails sent by VSSO now use an improved HTML format that's easier to read and act on.

Before

You answered personal preference questions about favorite foods, book characters, movies, proudest awards, etc. It was difficult for many users to remember their answers.

Now

You answer personal information questions that studies show are easier for users to remember, such as your first pet, first car, mother's maiden name, etc.

With this release, the first time you click the Forgot my password link, you'll be asked to answer the previous security questions. If you answer them correctly, you'll then be asked to enter answers for the new questions.

After this one-time experience, the next time you need to reset your password you'll be asked to answer only the new security questions, and you will not be required to re-enter the answers when you enter your new password. Your previous answers are retained.

Before

You used the options on the Admin Rights tab to grant admin rights for specific products to specific administrators in your agency.

Now

You create a product group and assign administrators to the group.

In addition, administrators can use the Group Context drop-down menu to limit what is shown in the VSSO console to only products and users in a specific group. Group administrators can change the group context to only the groups they administer. Full administrators can change the group context to any group in their agency.

Before

You had to enter your email address and answer two secret questions, and then follow the instructions in an email to reset your password.

Now

You simply enter your current and new password, and then click Update Password.

We fixed an issue that prevented VSSO from warning AMS360 users when their password expiration date was approaching. All VSSO users will be warned when they sign in to any VSSO-enabled application, beginning 4 days prior to the expiration date.

My Agency Home integrates with both AMS360 and PL Rating. If your agency uses just one AMS360 database and just one PL Rating database, My Agency Home will integrate with your databases automatically, so you won’t need to complete the steps in this guide.

If your agency uses multiple AMS360 or PL Rating databases, or if you have connected more than one instance of any Vertafore product to your VSSO configuration (for example, you have two or more instances of Credential Manager listed on the Manage Products tab in the VSSO admin console), you must create Product Groups in VSSO before you can use My Agency Home.