1. Information for CRO and Sponsor Users
  2. Authentication and Data Integration

5 Authentication and Data Integration

Oracle Site Select provides optional integration solutions at access (user authentication), data (API), and application levels.

User Authentication

Oracle Site Select and Oracle Site Select LITE support two methods for user authentication:
  1. Log in with username and password
  2. Single Sign On (SSO)

Username and password

Manual login with username and password is the default user authentication method. This option allows for periodic password changes. Users can also manually change their passwords at any time using a reset option in their user profiles.

The Oracle Site Select login page displays upon either manual or timed logout.

Single Sign On (SSO) - Oracle Site Select users

Single Sign On (SSO) authentication requires integration between Oracle Site Select and the customer’s trusted Identity Provider (IDP) system (e.g., an employee portal). An Oracle Site Select user who has a role with API and Authentication Management permission will manage the account’s Oracle Site Select IDP configuration.

SSO integration affects all users in the customer’s Oracle Site Select account. Once enabled, SSO authentication overrides the default username and password authentication, and all users in the account must access Oracle Site Select via SSO.

Login controls:
  • The customer IDP or portal controls access to Oracle Site Select. Oracle Site Select will authenticate based on the customer's IDP settings.
  • A user who is part of an account that has SSO enabled but attempts to login directly via the Oracle Site Select login page is redirected to the IDP instead.
  • An SSO user will not be able to log in to Oracle Site Select directly using a SSO password and will not have the ability to change the SSO password in Oracle Site Select. The user will redirect to their IDP and must be authenticated via SSO.
  • A user who attempts to access Oracle Site Select but does not have an active IDP session redirects to the account's IDP for login. Once authorized, the user will be redirected and logged into Oracle Site Select.
Oracle Site Select SSO uses the SAML authentication protocol and will accept the following properly formatted elements to authenticate an individual user:
  1. Email address
  2. First name
  3. Last name

Upon logout, Oracle Site Select redirects the user to the IDP entry point URL configured for the account. If a user’s Oracle Site Select session times out, and if the user is still logged in to the IDP, the user will be able to log back in with a click of a button. When SSO users manually log out of Oracle Site Select, they will also be redirected to the IDP entry point URL configured for the account.

Single Sign On (SSO) - Oracle Site Select LITE users

SSO authentication allows sites to access their studies via integration between Oracle Site Select and an identity provider (IDP) application (e.g., a customer-managed portal). When the "Enable Select Lite" option has been enabled on the Study Details page, users who have permission to access the Authentication and API configuration page can configure SSO for sites in the "Authentication options" section of the page.

When a site accesses Oracle Site Select LITE via SSO authentication, studies to which the site has access are limited to those in which the site has been invited to participate within the logged-in account. By design, site users can log in manually to access studies in another account, if necessary.

Upon timeout or manual logout, Oracle Site Select LITE users who logged in:

  • With SSO are redirected to their IDP
  • With user name and password are redirected to the Oracle Site Select LITE login page

Single Sign On (SSO) - via integration with Oracle Identity Cloud Service

Users can access Oracle Site Select and other licensed Oracle Identity Cloud Service applications using a single login portal when enabled and configured for the account. This authentication method also supports automatic, just-in-time user account provisioning in Oracle Site Select to provision new users with a default user role. Oracle Identity Cloud Service also supports federation with a customer's existing identity management solution.

An Oracle Site Select user with "API and Authentication Management" permission can configure this authentication on the “IDCS auth” account integrations subpage. Settings allow the user to specify:

  • Enable/disable authentication - Disabled by default. When enabled, the user must complete the following required fields:
    • Entry point – The IDP URL
    • IDP public certificate – Security certificate file upload
    • Default role - Single selection drop-down list populated by the account's existing user roles

When the configuration user disables authentication for an account where an IDCS configuration was enabled and saved, the saved configuration will persist should the authentication be re-enabled. This includes persisting the IDP public certificate. Additionally, for an account where IDCS integration is turned off, the configuration can still be provisioned or updated via API. The changes will persist should a Select user enable or re-disable the integration.

When enabled for the account, IDCS Test Mode allows users to authenticate to Oracle Site Select via ICDS or the configured local or IDP (SSO) method. If testing mode is enabled but IDCS is later disabled, an Oracle Site Select user cannot log in via IDCS and must use the configured local or IDP method. API administrators with access to the ICDS provisioning API can toggle the IDCS testing mode on and off via API.

Note:

An Oracle administrator must also enable integration with Oracle Identity Cloud Service at the customer account level. Please contact your Oracle client services representative to discuss requirements.

Data Integration APIs

Oracle Site Select uses RESTful APIs, formatted as JSON objects, strings, and arrays to send information between systems. This is a well-understood and well-supported technology capable of handling complex and high-volume messages. The APIs accept requests as JSON objects encoded using the UTF-8 character set.

Oracle Site Select supports the following API routes:
  • Version GET – Fetch the version and host name of the Oracle Site Select instance hosting the API
  • Datasource PUT – Add datasources to a study by sending an array of IDs to identify all datasources that should be attached to the study
  • Datasource GET – Fetch a list of datasources in an account
  • Datasource and Composite Datasource Counts GET – Fetch the counts of entities in a flat or composite datasource
  • Datasource Records PUT, GET, and DELETE – Imports one or more records into a datasource; returns a record from a datasource; or physically deletes an investigator, institution, or site record from a datasource
  • Composite Datasource Records PUT and DELETE – Import one or more entity (investigator, institution, site, trial, or trial_site) records into a composite datasource; retrieves investigator, institution, site, trial, or trial_site record from composite datasource; or physically delete an investigator, institution, site, trial, or trial_site record
  • Datasource Clone – Clone an existing composite or flat datasource within your organization's account and keep the existing data column mapping of the cloned datasource.
  • Study Put and GET – Create a new or update an existing study, retrieve information about an existing study, or retrieve a list of studies within an account.
  • Study Sites in Study PUT, POST, and GET – Invite a study site to a study; import a site record from a datasource into a study and create a study site; or fetch information related to a specific study site like bucket state, profile details, and more.
  • Document Library PUT, POST, and GET – Upload, update, or download a document scoped to institution or investigator.
  • Document Download GET – Download a workflow document with a specific document ID.

You can access API documentation with full Request/Response details for the APIs above from a link in the Oracle Site Select application. Click the drop-down menu at the far right of the global navigation menu and choose API documentation to display the documentation in a new browser tab.

API documentation link in help drop-down list

PUSH Service

Oracle Site Select offers an optional PUSH service that sends event messages to a customer’s deployed and managed integration endpoint(s), such as a Clinical Trial Management System (CTMS). When configured, the PUSH service sends a JSON format POST message for each site profile, site status, or investigator library document update event.

Site profile updates

The PUSH service sends a POST message to the configured endpointd(s) when an Oracle Site Select or Oracle Site Select LITE user saves the site profile, regardless of whether the user edits the profile and saves it. Updates to an investigator, institution, or site's datasource record do not initiate a POST message for a site profile change.

When pushed, the POST message for a site profile update event includes the following fields:
A-I I-P P-Z
  • address_1
  • address_2
  • city
  • compound
  • country
  • customer_last_updated_at
  • degree
  • department
  • fax_number
  • first_name
  • institution
  • institution_data_sources
  • institution_fax_numbers
  • institution_integration_id
  • institution_phone_numbers
  • institution_sip_id
  • institution_staff
  • institution_status
  • institution_status_reason
  • institution_type
  • investigator_data_sources
  • investigator_integration_id
  • investigator_sip_id
  • investigator_status
  • investigator_status_reason
  • irb_coord_email
  • irb_coord_first_name
  • irb_coord_last_name
  • irb_coord_phone_number
  • irb_type
  • last_name
  • middle_name
  • npi
  • oracle_master_profile_id
  • phone_number
  • pi_address_1
  • pi_address_2
  • pi_central_irb_experience
  • pi_city
  • pi_country
  • pi_department
  • pi_emails
  • pi_postal_code
  • pi_region
  • pi_state
  • protocol_number
  • protocol_title
  • site_data_sources
  • site_integration_id
  • site_last_verified_at
  • specialties
  • state
  • study_id
  • study_indications
  • study_name
  • study_phase
  • study_sponsor
  • study_status
  • study_therapeutic_area
  • study_type
  • studysite_id
  • suffix
  • therapeutic_area
  • title
  • trial_coord_email
  • trial_coord_first_name
  • trial_coord_last_name
  • trial_coord_phone_number
  • zip

Site status

When configured for the account, the push service sends a site status change notification message each time a site has moved bucket states, provided the site is beyond Nominate Step 1 (i.e., Master list, Review, and Dropped bucket states). Messages are not sent for sites added to or moved within Step 1. This is expected behavior.

When pushed, the POST message for the site status change event includes the following fields:

A-I I-P P-Z
  • address_1
  • address_2
  • bucket_after
  • bucket_before
  • bucket_state_after
  • bucket_state_before
  • city
  • compound
  • country
  • department
  • first_name
  • gb_additional_site_staff
  • institution
  • institution_data_sources
  • institution_integration_id
  • institution_sip_id
  • institution_type
  • investigator_data_sources
  • investigator_integration_id
  • investigator_sip_id
  • last_name
  • middle_name
  • oracle_master_site_id
  • phone_number
  • pi_address_1
  • pi_address_2
  • pi_city
  • pi_country
  • pi_emails
  • pi_postal_code
  • pi_state
  • protocol_number
  • protocol_title
  • site_data_sources
  • site_department
  • site_integration_id
  • site_sip_id
  • specialties
  • state
  • study_id
  • study_indications
  • study_integration_id
  • study_name
  • study_phase
  • study_sponsor
  • study_status
  • study_therapeutic_area
  • study_type
  • studysite_id
  • suffix
  • title
  • updated_at
  • updated_by_emal
  • updated_by_full

The PUSH message also identifies the user who performed the status change (i.e., “updated_by”) as follows:

  • If the create/update occurs as an action within Oracle Site Select, the PUSH message includes the user’s full name and email address
  • If the create/update occurs as an action via API, the PUSH message includes the user's full name as "Site Import," and the user’s email will be <null>

On the Event notification configuration page, account administrators can optionally configure a list of email addresses that receive notification in the event of a event message failure. The administrator can configure the notification list separately for Site profile, Site status, or Library documents event notification messages.

An internal service checks for failed event messages every three hours. If an event message fails to send, each email address configured for that event message type receives a templated notification about the failure.

Investigator document library

When an account has a primary composite datasource created, the account administrator can configure event notification messages that send each time an investigator library entry has been created or updated within Oracle Site Select, Oracle Site Select LITE, or via API. The PUSH service sends a message to the configured endpoint, and customers can use the message to keep their systems updated with changes to an investigator's document library.

The PUSH service does not send the document file itself, but rather the associated metadata. Customers that require the document can request it using the Document Library GET API described below.

When sent to the configured endpoint, the PUSH service notification message includes the following metadata, as appropriate:

A-D D-I I-Z
  • accept_text
  • attestation
  • created_at
  • created_by_email
  • created_by_full_name
  • decline_text
  • document_file
  • document_get_route
  • document_id
  • document_type
  • invalid_reason
  • investigator_id
  • investigator_integration_id
  • investigator_sip_id
  • is_invalid
  • is_invalid_by_email
  • is_invalid_by_full_name
  • is_invalid_on
  • is_latest_version
  • response_accepted
  • response_by_email
  • response_by_full_name
  • response_change_reason
  • response_on
  • updated_at
  • updated_by_email
  • updated_by_full_name

Oracle Site Select administrative users who have permission to manage event notification messages access the configuration page from the “event notification” option in the Accounts menu. The page allows users to define message options for the Site status, Site profile, and Library document update event message types, as appropriate to the account.

Configure PUSH event notification messages

Event message history

Oracle Site Select users who have a role with the API and Authentication Management permission can track the status of messages sent via event notification message integration.

The Event notification message history and status page displays when permissioned users select the "history and status" option from the account menu. Here users find a list of matching event messages sent outbound based on a specified date range, status, and type search criteria.

The sortable result list includes the message content and number of attempts for each message type. A modal displays additional message details when a user clicks a message row. Each row also includes a Resend or Retry action button. Both options re-queue the exact message to resend or retry based on any updated integration settings (URL, security, etc.). Once the user clicks to Resend or Retry the original message, the action button is disabled, and the table will list the newly queued message as a separate row upon page refresh.

Event message history page

Custom login button text

Customers can optionally specify text to replace the default "Log in required" button text in email notifications sent to sites. Users who have permission to access the Authentication and API Configuration page can specify up to 20 alphanumeric characters of custom button text. Special characters are also allowed, and Oracle Site Select will preserve text case. Rich Text is not supported.

Configure custom login button text for site email notifications
All site-facing email notifications that include an Oracle Site Select LITE login option will have the text for the login button specified by the setting on the Authentication and API configuration page. These emails include, but are not limited to:
  • Site welcome invitation
  • New site user email digest
  • CDA requires resubmission
  • CDA final approval

Support Link Configuration

Customers that prefer to provide their own support for their Oracle Site Select and Oracle Site Select LITE users can configure a custom support URL to display in the global navigation drop-down menu. A "Support link configuration" section on the Authentication and API configuration page allows a user to input a valid URL. When saved for the account, the "visit support" links in Oracle Site Select and Oracle Site Select LITE automatically redirect to the configured URL.

Note that the configured URL does not redirect for the following:
  • In both Oracle Site Select and Oracle Site Select LITE, the "support" link in the page footer
  • The error page returned when an SSO authentication issue occurs
  • The error returned when survey authorization for an account has expired
Visit support link in help drop-down list

Digital signature configuration

An Oracle Site Select user who has a role with API and Authentication Management permission will configure authentication on the account’s Authentication and API configuration page. Customers can use any contracted Adobe Sign account they wish by default, and user and permission management is the responsibility of the customer. Site users will be created in the Oracle Adobe Sign account.

To configure, the account administrator provides the customer’s proprietary account data for the following required fields:

  • Customer Adobe sign account URL
  • Application client ID
  • Application client secret
Digital signature configuration

When authenticated to Adobe Sign with the customer's account credentials, Adobe Sign creates signature transactions in the customer’s account. For example, in an Oracle Site Select environment configured with customer-provided account credentials, the customer can authenticate a user on a European Union (EU) server to activate digital signatures on the account, and signature transactions will be created in the customer’s EU Adobe Sign account.

In the customer-provided account credential model, customers have responsibility for Adobe Sign user and permission management. For example, an EU user should be granted transaction creation/management permissions in Adobe Sign. Note that site user signature accounts are created only in the Oracle Adobe Sign account.

Note:

Oracle Site Select creates a document sign transaction by specifying the email and name of the site user who will sign the document. If that site user needs to create an account, the site user will receive an email from Adobe Sign and Adobe Sign will manage the creation of the site user's account.

Survey vendor configuration

Oracle Site Select users who have permission to access the Authentication and API configuration page can configure Alchemer as the account's survey vendor. SurveyMonkey configuration will not be supported as of the 22.3 release; please do not enable SurveyMonkey as the vendor.

The user can enable account-level authorization for Alchemer, if preferred. This configuration provides flexibility for authorization of a single or multiple survey vendor accounts as follows:

  • Enabled – If the customer plans to use a single survey vendor account, with one Alchemer user managing feasibility survey creation and editing.
  • Disabled – If the customer plans to use separate survey vendor accounts per study for each feasibility survey manager, allowing each user to create, edit and manage their own surveys.

Oracle Site Select customers outside of the United States can authenticate with the Alchemer EU server if appropriate. The “Survey vendor selection and authentication” section of the Authentication and API configuration page displays the region selector when Alchemer is the selected survey vendor.

On the study Feasibility survey setup page, Oracle Site Select persists the chosen server region (e.g., EU) to the study level when Alchemer is the account survey vendor but account-level Alchemer authorization is not enabled. For example, when the account is configured to authenticate to the Alchemer EU region server, and the Oracle Site Select survey administrator visits the Feasibility survey page, the administrator must sign in to Alchemer to direct authentication to the Alchemer EU authentication page. All survey data for that study survey will reflect from the authenticated EU Alchemer account.

Survey vendor configuration showing Alchemer as vendor, EU as the region, and enabled account level authorization

Hide studies from view

When you have permission to access the Authentication and API configuration page, you can optionally turn on a setting to hide studies that are in Closed or Canceled status. When turned on, Closed and Cancelled studies aren't visible to Oracle Site Select users, so they don't need to take any action to remove them from their study list and myDashboard page.

The Study details page includes an optional "Study close message for site users" section where study managers can create a message to display in Oracle Site Select LITE. A message saved in that section displays in Select LITE when the study's status is Closed or Cancelled and the account level setting described above is on.

  • Enable Single Sign On (SSO) authentication
    Once enabled for your organization's account, SSO authentication overrides default username and password authentication, and all users in the account can then access Oracle Site Select via SSO.
  • Enable Single Sign On (SSO) authentication for site users
    When enabled, this authentication method allows sites to access their studies via integration between Oracle Site Select and an identity provider (IDP) application (e.g., a customer-managed portal).
  • Enable Single Sign On (SSO) authentication via Oracle Identity Cloud Service Integration
    When enabled and configured for the account, users can access Oracle Site Select and other licensed Oracle Identity Cloud Service applications using a single login portal.
  • Enable User name and password authentication
    User name and Password authentication is the default authentication method. It is not necessary to complete this task unless you are reverting a Single Sign On (SSO) authentication setup for your organization.
  • Configure custom login button text for site email notifications
    You can optionally specify text to replace the default "Log in required" button text in email notifications sent to sites.
  • Configure custom Support link
    If your organization prefers to direct users to a group other than Oracle Health Sciences for end user support, you can configure a custom support link that will display in the application header in Oracle Site Select in Oracle Site Select LITE.
  • Access API documentation
    By design, you must be logged into the Oracle Site Select application to access the link to API documentation.
  • Generate API access token
    When you need to generate an API access token for use with a Oracle Site Select API, you can do so with one click.
  • Regenerate API access token
    You can regenerate an API access token if one was already created for your organization's account and you need to replace it.
  • Copy API access token
    Once you generate or regenerate an API access token, you can copy the token's text as needed.
  • Enable outbound PUSH messages
    The optional PUSH service sends a JSON format POST message for each site profile, site status, or investigator library document update event. The event messages transmit to one or more of your organization's deployed and managed integration endpoint(s), such as a Clinical Trial Management System (CTMS).
  • Retry or resend event messages
    You can track the status of event history notification messages and resend or retry messages when necessary.
  • Enable Adobe Sign Integration
    Customers can enable their document signature workflow to allow digital signatures using any contracted Adobe Sign account they wish. Oracle Site Select currently supports an integration with Adobe Sign for the CDA workflow only.