Case 01 SSO Solution — Healthcare Provider Healthcare Solution SSO Organization Healthcare Provider 1. Project Overview Our organization is a multi-site healthcare provider operating across 12 facilities with 4,500 clinical and administrative staff accessing over 35 applications daily. Our current authentication environment relies on disparate credentials per system, resulting in significant clinician productivity loss, elevated helpdesk costs, and increasing audit findings related to access governance. We are seeking a Single Sign-On solution that enables secure, seamless access to all clinical and administrative systems under a unified identity, while maintaining full HIPAA compliance and supporting our Zero Trust security roadmap. 2. Scope of Work Deploy SSO across all 35 applications including EHR, PACS, billing, and productivity tools Integrate with existing Active Directory and Azure AD as identity sources Implement MFA enforcement for all clinical staff accessing PHI systems Provide helpdesk and end-user training materials for phased rollout Deliver post-deployment audit reporting and access monitoring dashboards 3. Functional Requirements 01 SAML 2.0 and OIDC Support Must support both SAML 2.0 and OpenID Connect protocols for application federation. [MUST HAVE] 02 Adaptive MFA Must provide risk-based MFA with context-aware step-up authentication for PHI access. [MUST HAVE] 03 Active Directory Integration Must integrate natively with on-premise AD and Azure AD as identity sources. [MUST HAVE] 04 Session Timeout Controls Must enforce configurable session timeouts per application to meet HIPAA §164.312 requirements. [MUST HAVE] 05 Single Logout (SLO) Must support Single Logout across all federated applications on session termination. [MUST HAVE] 06 Access Reporting Must provide audit-ready access logs with user, timestamp, application, and outcome fields. [MUST HAVE] 07 Mobile Device Support Should support SSO on iOS and Android devices for mobile clinical workflows. [NICE TO HAVE] 08 Passwordless Authentication Should support FIDO2/WebAuthn passwordless login for high-frequency clinical workstation access. [NICE TO HAVE] 5. Vendor Evaluation Criteria Criteria Weight Description HIPAA Compliance & Security Certifications 30% HIPAA BAA availability, SOC 2 Type II, HITRUST certification Functional Requirements Coverage 25% Depth of SAML, OIDC, MFA, and SLO feature coverage Integration Capability 20% Pre-built connectors for EHR, PACS, and clinical apps Total Cost of Ownership 15% Licensing, implementation, and 3-year support costs Vendor References & Support 10% Healthcare customer references and SLA commitments 7. Evaluation Questions TECH How does your solution handle session timeout enforcement at the application level for HIPAA §164.312 compliance? TECH Describe your AD and Azure AD synchronization architecture — what is the maximum supported directory size? TECH How does your adaptive MFA engine evaluate risk context — what signals are used for step-up authentication? BIZ Provide two references from healthcare organizations of similar size where your SSO was deployed. BIZ What is your standard implementation timeline for a 35-application SSO deployment? BIZ Describe your HIPAA BAA process and any data residency options available for clinical data.