SSO for users

Logging in to Castor CDMS

When your institution requires SSO, you will be unable to log in with the Castor CDMS credentials you previously set. Instead, after entering your email address on the login page, you will be redirected to your institution's Identity Provider (IdP) to log in.
 

Log in using Castor CDMS credentials

You will be prompted to enter your Castor CDMS password if your institution does not enforce SSO or has exempted your account from using SSO. You can read more about logging in to Castor CDMS on this helpdesk page.

Log in using SSO

You will be redirected to your organization's IdP (for example, Azure AD) if your institution enforces SSO.

Inviting users to a study

The process of inviting users to a study is the same for SSO users and non-SSO users. More information about inviting users can be found on this page.

Using the API

For security reasons, we require SSO users to login to Castor CDMS using their Identity Provider on a regular basis. After 7 days of inactivity, you must log in again through the user interface before you can generate a new OAuth token.

If you have not logged in to the system for more than 7 days, the /oauth/token endpoint will return the following error: “For security reasons, we require SSO users to login to Castor CDMS using their Identity Provider on a regular basis. You have not accessed the system in 7 days. Before making any API calls, please log in via the user interface.”

SSO for institutes

SSO allows users to access multiple web applications using a single set of login credentials. By providing a single point of authentication and authorization, SSO enables your institution or site to gain centralized control over user access and management. This can help you gain a better handle on the compliance, security, and data governance of their research data. Furthermore, SSO can improve the user experience by allowing researchers, staff, and other users to log in to Castor CDMS using their existing institutional credentials rather than remembering and managing multiple sets of login information.

Supported protocols

Castor supports the SAML and OIDC protocols for SSO authentication. We only onboard new customers on the OIDC protocol.

SAML SSO flows

For customers using SAML-based SSO, both the Service Provider (SP) and Identity Provider (IdP) initiated flows are supported.
 

Enforcing SSO

As an institution, you can enforce the use of SSO for your email domain (for example, hospital.com). Your email domain will be associated with an IdP (for example, Azure AD), which can be used to log in to the application.

Implications

Enforcing SSO has a number of implications. Users with your email domain:

• … will be redirected to an IdP in order to authenticate themselves or will directly use the IdP to get access to Castor CDMS. 
  • They will use the login page and credentials from their IdP.
• … cannot log in using their Castor CDMS credentials anymore.
  • Instead, they will be redirected, as described above.
• … cannot use Castor CDMS’ 2 Factor Authentication (2FA) anymore.
  • Instead, they will use the 2FA of the IdP, if applicable.
• … must log in using the IdP every 7 days in order to maintain access to the API.
  • SSO cannot be used to manage API credentials. To maintain access to the API, we require users to log in every 7 days for security reasons. It is not possible to generate a new OAuth token after 7 days of inactivity, and users must first log in using the IdP to regain access.

Exceptions 

It is possible to make exceptions to the SSO enforcement on a user account level.  Such an exception enables the user to log in using their Castor CDMS credentials instead. Exceptions can be made for:

• Regular users (i.e., user accounts that use a shared email box and cannot login through SSO) 
• System users (i.e., user accounts that are not used by an ‘actual’ user, but used for API integrations)

To make such an exception, contact a member of the customer success team. Please include the email address of the user account in your request, as well as a description of whether this concerns a regular user or a system user.