EvidAIEvidAI
Back to Home
8 min read

Enterprise SSO & Access Control

SAML, OIDC, and advanced role-based access for large organizations

Enterprise SSO & Access Control

EvidAI integrates seamlessly with enterprise identity providers, providing secure, centralized access management for organizations of any size.

Identity Provider Integration

Supported Protocols

ProtocolUse CaseStatus
SAML 2.0Enterprise SSO✅ Supported
OIDC/OAuth 2.0Modern apps, APIs✅ Supported
SCIM 2.0User provisioning✅ Supported
LDAPLegacy directory✅ Via adapter

Supported Identity Providers

ProviderIntegration Level
Okta✅ Native, certified
Azure AD / Entra ID✅ Native, certified
PingFederate✅ Native
OneLogin✅ Native
Google Workspace✅ Native
AWS IAM Identity Center✅ Native
Custom SAML/OIDC✅ Configurable

Role-Based Access Control

Standard Roles

RolePermissionsTypical Users
OwnerFull platform administrationCIO, Department Head
AdminUser management, billingIT Admin, Manager
Principal InvestigatorFull review access, team managementSenior Researcher
ReviewerRead/write on assigned reviewsResearch Staff
AnalystAnalysis and reporting onlyStatistician
AuditorRead-only, audit trail accessQA, Compliance
ViewerRead-only, limited scopeStakeholders

Custom Role Builder

Create roles tailored to your organization:

CUSTOM ROLE: "Junior Reviewer"

Base Template: Reviewer

Permissions Modified:
├── Protocol: View only (removed edit)
├── Screening: Execute + Review assigned studies only
├── Extraction: Execute on assigned studies
├── Quality Assessment: View only
├── Analysis: No access
├── Export: Request only (requires approval)
└── Team: View members only

Assignment Scope:
├── Projects: Assigned reviews only
├── Data: Own work + approved comparisons
└── Reports: Standard templates only

[Save Role] [Test Permissions] [Assign to Users]

Dual Review & Blinding

Blinded Review Configuration

For regulatory-grade systematic reviews requiring independent assessment:

FeatureConfiguration
Screening BlindingReviewers cannot see each other's decisions until complete
Extraction BlindingDual extraction without cross-visibility
RoB BlindingIndependent quality assessment
Unblinding TriggerAutomatic after both reviewers complete
Conflict ResolutionThird reviewer or PI arbitration

Blinding Status Example

BLINDING STATUS: Review SLR-2024-001

Phase: Title/Abstract Screening

Reviewer 1: Dr. James Wilson
├── Progress: 847/1,234 (69%)
├── Can see: Own decisions only
└── Status: In progress

Reviewer 2: Dr. Maria Garcia
├── Progress: 1,234/1,234 (100%)
├── Can see: Own decisions only
└── Status: Complete, awaiting partner

Conflict Status:
├── Both complete: No
├── Conflicts detected: Pending unblinding
└── Resolution assigned: Dr. Sarah Chen (PI)

[Force Unblind - PI Only] [Send Reminder to Reviewer 1]

Multi-Factor Authentication

MFA Requirements

User TypeMFA RequirementMethods
AdminRequired alwaysTOTP, Hardware key, Push
Principal InvestigatorRequired alwaysTOTP, Hardware key, Push
ReviewerConfigurableTOTP, Push, SMS*
ViewerConfigurableTOTP, Push

*SMS available but not recommended for sensitive data

Hardware Key Support

StandardKeys Supported
FIDO2YubiKey 5, Google Titan
WebAuthnPlatform authenticators
U2FLegacy YubiKey

Session Management

Session Controls

SettingDefaultConfigurable Range
Session Duration8 hours1-24 hours
Idle Timeout30 minutes5-120 minutes
Concurrent Sessions31-10
Remember Device7 days1-30 days or disabled

Session Security

ACTIVE SESSIONS: dr.smith@pharma.com

Session 1 (Current):
├── Device: MacBook Pro (Chrome 120)
├── Location: New York, NY
├── IP: 203.45.167.89
├── Started: Today, 9:15 AM
└── Last Activity: 2 minutes ago

Session 2:
├── Device: iPhone 15 (Safari Mobile)
├── Location: New York, NY
├── IP: 203.45.167.92
├── Started: Yesterday, 3:45 PM
└── Last Activity: 14 hours ago

[Revoke Session 2] [Revoke All Other Sessions]

Provisioning & Deprovisioning

Automatic User Lifecycle

EventActionTiming
User added to IdP groupAccount created in EvidAIReal-time (SCIM)
Group membership changePermissions updatedReal-time
User removed from IdPAccount deactivatedReal-time
Account disabled in IdPSessions terminatedImmediate

Just-In-Time Provisioning

JIT PROVISIONING: Enabled

Mapping Configuration:
├── IdP Group: "EvidAI-Reviewers" → Role: Reviewer
├── IdP Group: "EvidAI-PIs" → Role: Principal Investigator
├── IdP Group: "EvidAI-Admins" → Role: Admin
├── Default Role (no group): Viewer

Attribute Mapping:
├── email → user.email
├── firstName → user.given_name
├── lastName → user.family_name
├── department → user.department
└── employeeId → user.external_id

Security Best Practices

Enterprise Deployment Checklist

ItemRecommendation
SSOEnable for all users; disable local passwords
MFARequire for all roles; prefer hardware keys
Sessions8-hour max; 30-minute idle timeout
IP RestrictionsWhitelist corporate IPs for admin access
Audit LoggingEnable; configure SIEM integration
Data ResidencySelect region matching compliance needs

Enterprise Support: Our enterprise team provides white-glove SSO configuration. Contact support@EvidAI.ai for dedicated onboarding.

Did this article help?
Still stuck?