Lloyd’s of London: Single Sign-On


Introduction

Priocept specialises in the design and development of the complex web based products and services that underpin online business. This case study details the recent work completed by Priocept for Lloyd’s to implement a centralised system for the management of their website users.  This includes the authentication and authorisation components that secure the numerous web based applications that Lloyd’s provide to the global insurance market.

Overview

Lloyd’s of London is the world’s leading insurance market providing specialist insurance services to businesses in over two hundred countries and territories.  The Lloyd’s public facing website, lloyds.com, provides stakeholders in the insurance market with an authoritative and comprehensive 8000 page information resource, supported by an internal content owner network who generate up to 600 content updates every month. It is Lloyd’s ‘shop window’, and for many lloyds.com visitors, especially the 40%+ from outside the UK, will be their main touch point with Lloyd’s.

Historically, the majority of content on lloyds.com was freely available for anonymous website users, and content that required restricted access was secured in an ad-hoc fashion with various technical implementations existing across applications.  However, as the website became central to the delivery of more complex and business critical information systems, a new consolidated platform for user registration, authentication and authorisation became essential.

Lloyd’s engaged Priocept to design and implement a new Single Sign-On (SSO) framework to provide a centralised Web User Identity Management system which would form the basis for authentication and authorisation on all future internet based product developments at Lloyd’s.

Solution

Following a six month implementation phase Priocept, working with Lloyd’s business teams, delivered the LAURA system – an acronym for: Lloyd’s Authentication, User Registration and Authorisation.  The LAURA system provides a mechanism to secure web based products and services based on the permissions granted to individual registered website users.

User management interface

As well as the web application security model, LAURA provides a centralised method for website user management and allows the assignment of additional metadata to specify a user’s relationship with a product or service.  LAURA is built using a service-oriented architecture (“SOA”) around the Microsoft Provider Model for Membership, Profile and Role providers. This means that other applications conforming to this standard can re-use LAURA as a user data store and as an authentication and authorisation service. For example, off-the-shelf products such as Microsoft Office Sharepoint Server 2007 can be easily configured to use LAURA for authentication and authorisation with no additional development required.

The LAURA system provides the following core functionality:

  • Provides a mechanism to secure web based content and applications based on URL. i.e. the system maintains a list of secured URLs (e.g. http://www.lloyds.com/secureapplication/*)
  • Prevents non-logged in users from accessing content and applications that have been flagged as ‘secure’.
  • Provides users with a method of registering for general access to the site (user registration), and a means of logging-in to the site upon their return visits to lloyds.com.
  • Ensures that only logged-in users whom have also been given specific privileges can access certain content or applications.
  • Provides internal Lloyd’s administrators with the ability to manage a registered user’s details including assigning them additional privileges (access rights).
  • Provides an internal administration system which is secured via the Lloyd’s corporate Active Directory.
  • Provides tiered levels of administration so that business units can only manage the access to content and applications for which they are responsible.
  • Provides a “devolved administration” system to allow administrators in external organisations to manage their employees’ access to Lloyd’s applications. i.e. Lloyd’s can devolve their responsibility to administer external corporate users.
  • Can be integrated with RSA SecurID to provide two factor authentication.
  • Provides a web services based API which can be used by calling applications to provide additional security, personalisation, etc.

Results

There are currently over 30,000 registered and active users, with more than ten Lloyd’s web applications using LAURA as the security mechanism.  Lloyd’s are now able to more accurately profile the users of the website and their actual usage of web applications on a per user basis.  Significant ROI is being achieved on each new product release which utilises the core LAURA framework for user data storage and web application security.  Lloyd’s administrators now have a single view of their customers and their online behaviour.  Web application security and individual user preferences are managed from a centralised administration application.

Priocept continues to work with Lloyd’s on the ongoing development and support of the LAURA system and the lloyds.com website as a whole.