Integrate Imprivata Enterprise Access Management

Mobile Access Management’s Check Out feature requires customers to connect to a web service to handle the translation of badge IDs to user IDs.

This article describes how to integrate with Imprivata Enterprise Access Management (formerly Imprivata OneSign) for identity lookup. If you don’t have EAM, you may use a custom identity lookup service.

Prerequisites

Take note of the following prerequisites:

Imprivata enabled the Check Out feature for your organization.
You have met the prerequisites for the Check Out and Password AutoFill features, including appropriate Imprivata licensing.
You verified that Check Out is working with the built-in Mobile Access Management User Service.

Available Authentication Methods for MAM Device Check Out

MAM supports a variety of EAM authentication methods for device Check Out.

The integration of MAM and Enterprise Access Management supports the following primary and secondary factors for authentication.

For some first factors, you can allow a limited user choice for the second factor. For example, if proximity card is the first factor, you can allow network password as the second factor.
The authentication methods are configured in the Imprivata Admin Console in user policies.
The Authentication tab of a user policy controls the authentication methods and options (authentication rules) that define authentication behavior for Enterprise Access Management.
Some combinations of authentication factors are not supported by Mobile Access Management for device Check Out. The following table illustrates the EAM primary and secondary authentication method selections and the resulting Check Out behaviors in MAM.

Primary	Secondary	Check Out Behavior
Check Out is initiated by the user taking the device out of the Smart Hub
Password	No second factor	User taps unlock with password on the Imprivata Locker lock screen. User enters username and password. The device unlocks.
Face recognition	Password	User taps unlock with password on the Imprivata Locker lock screen. User enters username and password. Imprivata Locker prompts for face authentication. If the user's face is already enrolled, the user's facial biometric is successfully captured and the device unlocks. If the user's face is not enrolled, Imprivata Locker prompts the user to enroll their face and to consent to the biometric capture. The user's facial biometric is successfully captured and the device unlocks.
Check Out is initiated by the user tapping their proximity card on a Launchpad
Face recognition	Proximity card	User taps their proximity card on the Launchpad's proximity card reader. The device is selected. Imprivata Locker lights up the device's display screen. Imprivata Locker prompts for face authentication. If the user's face is already enrolled, the user's facial biometric is successfully captured and the device unlocks. If the user's face is not enrolled, Imprivata Locker prompts the user to enroll their face and to consent to the biometric capture. The user's facial biometric is successfully captured and the device unlocks.
Face recognition	Security Key or Imprivata PIN or Proximity Card	User taps their proximity card on the Launchpad's proximity card reader. The device is selected. Imprivata Locker lights up the device's display screen. Imprivata Locker prompts for face authentication. If the user's face is already enrolled, the user's facial biometric is successfully captured and the device unlocks. If the user's face is not enrolled, Imprivata Locker prompts the user to enroll their face and to consent to the biometric capture. The user's facial biometric is successfully captured and the device unlocks.
Proximity card	No second factor	User taps their proximity card on the Launchpad's proximity card reader The device is selected Imprivata Locker lights up the device's display screen. The device is unlocked
Proximity card	Password	User taps their proximity card on the Launchpad's proximity card reader The device is selected Imprivata Locker lights up the device's display screen.
Proximity Card	Imprivata PIN	User taps their proximity card on the Launchpad's proximity card reader The device is selected Imprivata Locker lights up the device's display screen.

‡ Facial recognition requires Imprivata appliances running the 25.2 or later software and the connection to the Imprivata Cloud Platform.

Configure Imprivata Enterprise Access Management

Step 1: Configure API Access to EAM

Configure API access to EAM using the Imprivata Admin Console.

To configure the API access:

Log into the Imprivata Admin Console and go to the gear icon > API Access.
Under ProveID – API access and security, select Allow full access via ProveID Web and ProveID Embedded.
Select the API access needed for the OS of your devices:
1. For iOS devices, select the Imprivata Mobile for iOS checkbox.
2. For Android devices, select the Imprivata Mobile for iOS and the Imprivata Mobile for Android checkboxes.
Click Save.

Step 2: Confirm the Computer Policy is Enabled for Proximity Card

Mobile Access Management organizations with Check Out using EAM as the Identity provider create a host (computer) in EAM for every Launchpad registered. That computer in EAM gets a computer policy which must have a proximity card enabled to be able to perform a checkout with a badge tap.

Confirm that there is no override in the computer policy that the Launchpads are assigned to.
Confirm that the user policies your mobile users are assigned to allow proximity cards as a primary factor.

If both of the above conditions are true, no changes are needed. However, if an override is already enabled within the computer policy the Launchpads are in, ensure that Proximity Card is allowed in the override. If this is not possible or allowed for your organization, Imprivata suggests moving the Launchpads into a separate computer policy.

If you’ve performed the validations above, and computer policy changes are indeed needed for your environment, follow these steps. Otherwise, skip to the Mobile Access Management Setup section.

In the Imprivata Admin Console, go to Computers > Computer policies and select the computer policy your Launchpad is using.
In Override and Restrict tab > Desktop Access Authentication Restrictions section, make sure that the option for Proximity Card is selected.

Step 3: Configure Second Factor Grace Periods

Depending on the authentication methods defined in the user policy and computer policy, ensure that you have configured the appropriate grace periods for the second authentication factor.

For example, when using proximity cards as the second authentication factor, you can set a grace period for the second authentication factor after successful authentication, up to 24 hours 59 minutes.

The settings are available in the Authentication method options section of the Authentication tab of the Imprivata Admin Console.

Configure Mobile Access Management

Step 1: Configure Check Out and Identity Provider

In the MAM console, configure the integration with Imprivata Enterprise Access Management (formerly OneSign):

In Admin > Check Out, select Imprivata Enterprise Access Management from the Identity Provider list and click Configure.
In the dialog, add the hostname of your Imprivata appliance.
NOTE: Use the FQDN when specifying the Imprivata appliance hostname. DNS names ending in ‘.local’ are not supported.
If your organization uses a root certificate authority, upload that CA certificate to this dialog, in PEM, CER, CRT, or DER format. Otherwise leave Disable SSL checks selected. Click Save.
Restart any Launchpads as prompted.
To test this configuration, in the MAM console, click the Launchpads tab, then open one of your Launchpads. In Launchpad Actions, select Test Identity Web Service.

About Certificates

Certificates are not required for Check Out or Password AutoFill workflows. But if your organization would like to enable SSL trust certificates, these requirements must be met:

Per Apple’s trust certificate requirements, certificates must have a validity period of 825 days or fewer. If the certificate applied to EAM has a longer validity, it will be need to be updated at the Imprivata appliance level first.
After that change has been made, follow the instructions below to obtain root certificate for use in Mobile Access Management.
See EAM’s documentation on how to update certificates on the Imprivata appliance.
Mobile Access Management requires a root certificate (self signed or issued by a CA authority).
1. Use any web browser to download the root certificate from the appliance. Make sure you are downloading the Root certificate, not the certificate installed on the Imprivata appliance.
2. Upload this certificate this certificate to Mobile Access Management.

Step 2: Configure the Authentication Methods

Configure settings in the Available Authentication Methods section.

Allow New Badge and Imprivata PIN Enrollments to EAM

Mobile Access Management allows new badge enrollments and Imprivata PIN enrollments during checkout. This is useful when users have a new or replacement badge that is not already enrolled in EAM.

Applies to iOS and Android devices.

Requires Imprivata Locker iOS 3.12 (and later) or Locker Android 1.3 (and later) on the devices.

In Admin > Check Out > Available Authentication Methods section, select Proximity Badges.
To allow new enrollments to EAM from the Locker app, switch the Allow users to enroll new badges to Enterprise Access Management from Locker app setting to ON.
NOTE: This setting is only available when EAM is set as the Identity Provider (IdP), and is not supported for other custom web services. You do not need to enable check out via network username and password for badge enrollment to work.
When prompted, restart the Launchpads.

Require a Second Factor to Unlock the Device

This setting is displayed when the Password AutoFill setting is switched to ON.

This setting controls whether users must provide a second factor in the Locker app during checkout to unlock the device.

When the setting is switched to OFF, the user is not prompted to provide a second factor authentication method during device checkout.
When the setting is switched to ON, the user must complete the second factor authentication before Locker will unlock the device during checkout.

Check Out with Username and Password

Mobile Access Management also allows checking out using a username and password as an additional authentication method. This is useful when users forget to bring their badges to work.

BEST PRACTICE: Imprivata recommends selecting Network Username and Password as an available authentication method.

In Admin > Check Out > Available Authentication Methods, select Network Username and Password.
Some organizations use special terms for username, such as “Network ID”, “Net ID”, or similar. You may customize the terms you use by editing the Username Label and Password Label fields.
When enabled, the Locker app lock screen adds a button for users to type their network username and password to unlock the device.
For EAM enterprises configured with multiple domains, the user selects their correct domain from a list box of domains.
On successful checkout, Mobile Access Management can automate a Workflow. The automation must use the trigger Unlocked via Network Username and Password, and the Workflow use the Over the Air Workflow model.

Next: Configure Password AutoFill

Integrate Imprivata Enterprise Access Management

Prerequisites

Available Authentication Methods for MAM Device Check Out

Configure Imprivata Enterprise Access Management

Configure Mobile Access Management

About Certificates

Allow New Badge and Imprivata PIN Enrollments to EAM

Require a Second Factor to Unlock the Device

Check Out with Username and Password

About

Resources

Contact

Search