Identity Management: a key to seamless CTMS and EDC

In my opinion, the largest hurdle to a comprehensive Clinical Trials system, whether you talk about EDC or about traditional CTMS, is identity management. 

Think about it:

  • You set up your EDC system, but how do you get your users enrolled?
  • You create a CTMS, but how do you handle turnover at the clinical sites?
  • How many user names and passwords does each PI or study coordinator have to remember?
  • Is your system really 21 CFR Part 11 compliant if each PI and study coordinator writes their username and password on a sticky note and sticks it to their monitor?

What is the answer to those problems?  Is it SAFE BioPharma?  SAFE Digital Signatures absolutely have their advantages, and undoubtedly have a role for verifiable digital signatures, but even with SAFE users have multiple identities – at a minimum they have their corporate identity and a SAFE identity. 

Let’s pose a couple scenarios:

  • What if those users could use that one identity on all systems, across multiple companies – including their SAFE identity?


  • What if your principle investigators were to log onto their computer in the morning and NOT have to enter their username and password again to get into your CTMS system or EDC system (outside of a signing password)?


  • What if you didn’t have to worry that the study coordinator is no longer with one of your clinical trials sites – because their username access was revoked once their employment status was changed?  What if you didn’t have to lift a finger to do it?

Allow me to introduce you to Microsoft “Geneva”, the “Geneva Framework”, and the Microsoft Identity Federation Gateway.

Geneva is (essentially) the next version of Active Directory Federation Services with a key additional component: a Microsoft provided cloud based service for sharing Active Directory entries  between organizations.

The official line (from the Geneva splash page) is that it is “an open platform that provides simplified user access and single sign-on for on-premises and cloud-based applications in the enterprise, across organizations, and on the Web.” 

From a technical standpoint, the Geneva framework is designed to be interoperable, utilizing WS-* and SAML 2.0.   The key to understanding Geneva is the notion of “claims” and STS (Security token Service).

A claim is simply a way of expressing who you are – an abstraction layer for authenticating, authorizing, and obtaining information about users and services.

For instance, the following are the claims that are provided when I log into my work machine:

  • E-Mail:
  • Employer: Microsoft
  • Group: Life Sciences Industry Unit
  • Role: Industry Technology Strategist
  • Location: Mobile/Home Office

These claims are provided to me by the STS when I authenticate, passed to me in a SAML token, and then provided to the application I want to use. 

Applications that I try to use would then evaluate those claims to authenticate and authorize my access.   Here is a slide from a recent presentation that gives a visual overview of the process:



There is a great whitepaper that goes into detail on the process located at: Geneva Claims Based Access Platform

From an administrative standpoint, it provides a number of advantages:

  • Software vendors (like EDC vendors) can develop applications that don’t have to maintain their own username and password database, but instead use a FAR MORE SECURE claims infrastructure that gives them the ability to authenticate not just users from one company, but users from multiple companies!
  • Companies that utilize Microsoft Office SharePoint Server can set up authentication and access control that consumes Geneva based identities, giving you the ability to have multi-company collaboration without a lot of technical heavy lifting. 
      • This would allow a CRO to host multiple Pharmas on their SharePoint extranet site, giving them their own secure collaboration areas, without having to provision a username and password for each external user.
      • This would allow a CTMS vendor on SharePoint to provide out-of-the-box extranet capabilities, without having to provide administration screens and databases for external usernames and passwords.

Thinking of SharePoint in particular, the following slide gives a brief example of what that would look like:



To wrap up, here is a slide from a presentation I gave recently on what the whole Identity Software + Services stack would look like.


Note: if you aren’t using Active Directory or Identity Lifecycle Manager, the above architecture still is valid as the system is designed for interoperability.  There are whitepapers available at that detail use of Geneva with Novell Access Manager as well as with Sun Open SSO.

A more detailed discussion of the Geneva platform will be provided in a Webcast that I would recommend to anyone in the Life Sciences industry on June 23rd.  TechNet Webcast- Simplified Access and Single Sign-on with Microsoft

Of course, I’m biased in positing that this is a “game changer” for the Life Sciences industry, but I truly believe it is… the issue of Identity Management, Username and Password proliferation, and cross-company collaboration is an issue that has hindered true (and secure) data availability and collaboration in the Life Sciences industry.  Perhaps now we can get the Identity Management issue behind us and move on.

Skip to main content