Skip to main content

Authentication & Single Sign-On (SSO)

Updated over a month ago

Authentication & Single Sign-On (SSO)

Medecision supports secure enterprise-grade authentication workflows across all applications in the platform. This includes deep integration with client identity systems using SAML 2.0, OAuth2, and group-attribute-based authorization to enforce least-privilege access. This page outlines the SSO design, flow, configuration, and security policies in detail.

Supported Authentication Models

Method

Description

SAML 2.0

Primary enterprise SSO mechanism using client IdP and Medecision as SP

OAuth 2.0 / OpenID Connect

Supported for some partner-integrated applications

Basic Auth (internal only)

Reserved for dev/test environments and CI/CD pipelines

SAML 2.0 SSO Flow (SP-Initiated)

  1. User visits a Medecision application and clicks "Sign in with SSO."

  2. The Medecision platform (Service Provider) creates a SAML authentication request.

  3. The user is redirected to the client’s Identity Provider (IdP), such as PingFederate, Okta, or Azure AD.

  4. The IdP authenticates the user and returns a signed SAML assertion containing attribute claims.

  5. The SAML response is sent to the Medecision Assertion Consumer Service (ACS) URL.

  6. Medecision validates the assertion, maps attributes, and creates or updates the user session.

SAML Configuration Details

Parameter

Value

ACS URL

https://med-shared-srv-prod.firebaseapp.com/__/auth/handler

Entity ID

https://medecision.com/

Binding

HTTP-POST

Encryption & Signing

SHA-256, required on assertion

Clock Skew Tolerance

±5 minutes supported

Required SAML Attribute Claims

Attribute

Purpose

acmUserId

Internal user ID (used as primary key in CMV and audit records)

firstName, lastName

Display names and audit tagging

title, phone, timezone

Optional user profile enrichment

email

Login ID and notifications

groups

Role and application group assignment (RBAC mapping)

These attributes are required to create or update a user via Just-In-Time (JIT) provisioning.

Role & Group Mapping

Upon successful SAML login, Medecision maps the user’s groups attribute to predefined application and functional roles:

Application Groups

Group Name

Description

ACM

Access to Aerial Core Management platform

ASMT

Access to the Assessments Module

DOM

Access to Dashboard for Operations Monitoring

ACI

Access to Clinical Intelligence platform

Aerial_UM_Admin

Administrative privileges for Utilization Management workflows

CMV

Access to Comprehensive Member View

Guided_Intake_Admin

Admin rights for managing guided intake rules and configurations

Appeals_Admin

Admin rights in Appeals & Grievances module

Analytics_Admin

Access to administrative analytics dashboards and rule monitoring

Functional Groups

Group Name

Permissions Granted

Aerial_DCM_Person_Editor

Permission to edit member demographic and clinical data

Aerial_DCM_Clinical_M_Viewer

View medical records, timeline entries, and clinical metadata

Aerial_DCM_Provider_Editor

Permission to manage provider profiles and affiliations

Aerial_DCM_Manager

Management rights including task assignment and oversight

Aerial_HS_Viewer_Restricted

Access to restricted health data views for mental health, substance use, etc.

UM_Intake_User

Access to request intake module for utilization management

UM_Reviewer_Clinical

Permission to review and make clinical determinations on requests

UM_Reviewer_Admin

Full admin rights within UM module, including configuration, routing, and overrides

CI_Rules_Editor

Access to manage and edit clinical intelligence rule sets

CI_Builder_User

Access to rule builder interface and input/output testing tools

These groups are assigned via SAML attribute claims and enforced across UI, API, and automation layers. They support least-privilege principles and are configurable per client during onboarding.

Security Features

  • Signed Assertions: Required for all SAML responses

  • IP Whitelisting: Optional for partner-facing environments

  • Session Timeout: Configurable; defaults to 30 minutes of inactivity

  • Multi-Factor Authentication (MFA): Enforced by client IdP

  • Audit Logging: Every login event logged with timestamp, IP, and group claims

JIT Provisioning and Session Behavior

  • Users are provisioned automatically during first login using the mapped SAML attributes.

  • Any attribute changes on subsequent logins will update the internal user profile.

  • Users removed from the IdP group will lose access on next login attempt.

  • No local password is stored in Medecision—authentication is fully delegated to the IdP.

Troubleshooting & Logging

Medecision maintains internal logs for all SAML transactions:

  • Assertion receipt time

  • Validation results (signature, timestamp, schema)

  • Group parsing outcome

  • Mapping decisions and user provisioning audit trail

Errors are returned as UI messages and can be optionally redirected to client support portals.

Client Onboarding Checklist for SAML SSO

  1. Share IdP metadata XML or discovery URL

  2. Define group/attribute structure and naming conventions

  3. Provide test user credentials for staging environment

  4. Validate ACS URL, entity ID, and encryption requirements

  5. Confirm user attribute mappings (acmUserId, name, email, groups)

  6. Execute login test and validate group-to-role mapping

  7. Promote to production

SSO integration ensures that enterprise users can access Medecision's platform securely with minimal friction, enabling seamless provisioning, compliance, and real-time access control across workflows.

Related Articles
Frequently Asked Questions for Utilization Management
Access Logs & Monitoring
HIPAA & HITRUST Compliance Overview
Viewing Dashboards on Mobile Devices
Getting Started: Signing Up
Did this answer your question?