This “Single Sign-On Policy” or “SSO Policy” sets forth the provisions applicable if Amadeus provides Customer with federated single sign-on capabilities (“FSSO”) to Customer for the Subscription Service. Applicable Services, the following provisions Subscription Service. Capitalized terms used herein but not defined will have the meaning assigned to them in the governing agreement between Amadeus and Customer (“Agreement”). If there is any inconsistency between this SSO Policy and the Agreement, the Agreement will control.

PROVISIONS:

1. Authentication Control. The FSSO will allow the Customer to internally control the authentication process to the Subscription Service. The Customer is fully responsible for determining which users need access to the Subscription Service application and the federation service (IdP) as Customer system administrators may access the Subscription Service to perform actions related to user management and role assignment.
2.  Information Exchange. Customer system administrators must collaborate with the Amadeus team designated by Amadeus to exchange necessary information (e.g., endpoints, public certificates, exchanged attributes, etc.) for setting up and configuring the federation service. This exchange must occur prior to the activation of the FSSO capabilities through secure channels outside of the Subscription Service application.
3. User Authentication. Subject to Customer compliance with all its obligations included in this SSO Policy, Amadeus may delegate user authentication (credentials verification) to the Customer. Upon successful authentication, Amadeus may provide access to the Subscription Service.
4. Customer Responsibilities.
   a. Establishing, implementing, deploying, and overseeing rules, requirements, and procedures for provisioning, de-provisioning, distribution, selection, use, and safeguarding of identifying credentials (such as user IDs and passwords).
   b. Verifying the identity of each user and their level of access authorization for each Service.
   c. Utilizing at least ‘standard industry practices’ for password policies, user provisioning and de-provisioning.
   d. Enforcing multi-factor authentication for sensitive user accounts.
   e. Creating persistent, unique, and static user IDs.
   For clarity, Amadeus will not authenticate users or verify their identity unless a user is FSSO exempt as dictated in written by the Customer.
5. Amadeus Responsibilities. Amadeus will: (i) provide Customer system administrators with user management features, including managing users not covered by the FSSO capabilities (if applicable) and managing application-level roles assignment; and (ii) evaluate authorization rules and enforce access control to application resources.
6. Technical Specifications. The FSSO capabilities utilize “Security Assertion Mark-up Language 2.0” (“SAML”) or OpenId Connect (OIDC). The Customer is solely responsible for procuring all necessary hardware and software to utilize the FSSO.
7. FSSO Requirements.
   a. SAML version: 2.0
   b. SAML profile: Web Browser SSO Profile (SP-initiated); Amadeus will provide app-level logout.
   c. Integration with Identity providers supporting SAML2.0 or OIDC, such as Okta or Azure Active Directory.
   d. Digital signature for signing assertions.
   e. Assertion exchange between Customer and Amadeus will use industry-accepted encryption for public networks.
   f. Amadeus will provide information to be collected, transmitted, and validated as part of the assertion messages under the FSSO.
8. Coordination. Amadeus and the Customer will coordinate in good faith the testing and implementation of the FSSO, including idle timeout, account linking, session management, global logout techniques, and end-user support processes.
9. End-User Support. Customer end-user support will investigate, and answer inquiries related to the FSSO. In the event of FSSO termination, Amadeus will cooperate with the Customer to convert the provision of continuing Services to Amadeus’s standard security authentication systems.
10. Login Process. To log in to the web-based Subscription Service, users will enter their login credentials (username and password) over HTTPS. Depending on user roles and corporate settings, users might be challenged to enter a one-time-password (OTP). Credentials are never stored in the web browser; all subsequent calls rely on a short-lived token obtained at login time.
11. Indemnification and Disclaimer. The Customer agrees to indemnify and hold harmless Amadeus from any claims, costs, losses, damages, or liabilities resulting from the utilization of the FSSO capabilities and/or any unauthorized access to or use of the FSSO systems or services. This obligation is not limited by any liability provisions in the Agreement. Amadeus disclaims any express, implied, or statutory representations or warranties, including implied warranties of merchantability, title, non-infringement, and fitness for a particular purpose regarding the FSSO.

Amadeus reserves the right to amend, alter, or modify the SSO Policy at any time. Amadeus may deliver notice of such updated SSO Policy to Customer via e-mail, the Subscription Services or as otherwise set forth in the Agreement. Customer’s continued access to and use of the Subscription Services following issuance of such updated SSO Policy shall constitute Customer’s acceptance thereof.