Medidata SSO Specifications

Medidata SSO Specifications

The following SSO Specifications are applicable to the use of Application Services by a Medidata customer or partner (“Client”) to create a single sign-on (“SSO”) integration with iMedidata® (“SSO Integration”) for use with Client’s credential authorization system.

A.Technical Requirements.  The SSO Integration must meet the minimum iMedidata authentication requirements, as provided from time to time, by Medidata. These authentication requirements include:

  1. Username requirements:
    a.  Be at least five (5) but no more than forty (40) characters in length
    b.  Be in ASCII (no Unicode characters may be used)
    c.  Cannot contain any of the following characters:

    i.  Exclamation point (!)
    ii. Comma (,)
    iii. Caret (^)
    iv. Apostrophe (’)
    v. Space ( )
  2. Password requirements:
    a.  Be at least eight (8) characters in length
    b.  Contain at least one (1) uppercase letter, one (1) lowercase letter, and one (1) number character
    c.  Conform to Electronic Records Electronic Signatures (ERES) requirements for eSignatures
    d.  Cannot be one of your last ten (10) passwords
  3. Medidata strongly recommends Client implement two (2) factor Authentication (“2FA”) for any Authorized Users accessing the Application Services through SSO Integration.
  4. When assisting an Authorized User with resetting their password or recovering a forgotten username, the Authorized User must first verify that they are the owner of the account they are requesting assistance with by providing a minimum of three (3) pieces of personally identifiable information.
  5. All endpoints communicating with Medidata must be running on a fully supported major release of the operating system and webservers with the most recent updates, up-to-date regularly scanned endpoint protection, and up-to-date web browsers.

Medidata may, in its sole discretion, update the authentication requirements, provided that Client shall have a reasonable period of time (not less than thirty (30) days for standard updates) to implement any required changes. If Medidata updates iMedidata to address security, privacy or similar issues that in Medidata’s sole discretion creates a significant risk of loss or liability, Medidata will provide notice to Client of this critical update and Client will take immediate action to implement such critical update in Client’s SSO Integration.

B. Acceptable Use.

  1. Testing of Identity Provider (i.e. Client source for validating secure identities) integrations can only occur against the innovate environment of iMedidata, and cannot provide or allow access to the production environment.
  2. Client may not run any performance testing of, or load testing against, any environment without Medidata’s prior, written authorization.
  3. An SSO Integration must not be used to access accounts for which the person accessing said account is not the sole owner.