Mobile EPCS - Secure Connection To Imprivata Cloud Platform

Set up your connection to the Imprivata Cloud Platform for Mobile EPCS face recognition:

  • Configure a connection to the Imprivata Cloud Platform.

  • Configure administrator access to the Imprivata Access Management portal.

Before You Begin

Before you begin:

  • Determine if a connection to the Imprivata Cloud Platform has already been configured by logging into the Imprivata Admin Console. The status of the connection is available in the Status panel on the right-hand side. A green check mark for Access Management integration indicates a connection has been configured.

  • If you need to configure the connection, contact Imprivata Services. Imprivata Services will create an Imprivata Cloud Platform tenant for your enterprise, and send a Welcome email with a link to the Imprivata Access Management setup. Click the link in the email and follow the wizard to configure the connection.

Configure the Connection to the Imprivata Cloud Platform

Enabling user consent for Mobile EPCS face recognition requires that you configure a connection to the Imprivata Cloud Platform. You can use either of the following methods to configure the connection.

NOTE:

If you have already configured a connection to the Imprivata Cloud Platform, you can skip this step.

Complete the following steps to use the Imprivata Access Management setup to configure the connection. To complete the configuration, you need the following:

  • Access to the Imprivata Appliance Console.

  • Access to the Imprivata Admin Console.

  • Optional — a PNG, JPG, or GIF of your organization logo (200 x 100 pixels or smaller, max 100KB).

Add the Required Hosts to Your Firewall Allowlist

Ensure that your firewall policy is configured to allow communication between the Imprivata appliances and the production Imprivata Cloud Platform.

Add the following hosts to your firewall allowlist:

  • <tenantID>.sys.imprivata.com

  • astra.sys.imprivata.com

  • access.imprivata.com

  • metadata.app.imprivata.com

  • file-access.app.imprivata.com

  • idp.app.imprivata.com

NOTE:

For non-US regions, replace the .com with the appropriate domain suffix for your region, for example, *.sys.imprivata.eu.

Start the Imprivata Cloud Connect Service

By default, the Imprivata Cloud Connect service is disabled. You must enable the service before configuring the connection to the Imprivata Cloud Platform.

To start the service:

  1. In the Imprivata Appliance Console, go to System > Operations.

  2. Locate Imprivata Cloud Connect, and click Stop/restart options.

  3. Select Restart Imprivata Cloud Connect on all appliances, and click Go.

Copy your Enterprise Integration ID

Using the Imprivata Admin Console, copy your enterprise integration ID. You require this value to use the Imprivata Cloud Tenant Setup wizard to create an integration token.

To copy your integration ID:

  1. In the Imprivata Admin Console, click the gear icon > Imprivata Access Management integrations.

    NOTE:

    A status message of Unable to verify integration. Unable to connect to Imprivata Access Management is expected.

  2. Copy the enterprise integration ID to your clipboard.

  3. Do not log out. You finish configuring the connection here after using the Imprivata Cloud Tenant Setup wizard to create the integration token.

NOTE:

For more information on starting the Imprivata Cloud Connect service, see Stop and Restart This Connection.

Create the Integration Token

Using the Imprivata Access Management setup, enter your enterprise integration ID to create an integration token. This token is required to finish configuring the connection in the Imprivata Admin Console.

To create the integration token:

  1. Open the Imprivata Access Management setup.

  2. If you have not already, agree to the Cloud Features Agreement and enter information about your organization.

  3. Go to the Connect to Enterprise Access Management screen, and paste the integration ID into Enterprise integration ID.

  4. Click Create integration token and copy it.

  5. Return to the Imprivata Admin Console to finish configuring the connection.

Complete the Connection

Using the Imprivata Admin Console, finish configuring the connection to the Imprivata Cloud Platform using the integration token you created.

To finish the configuration:

  1. In the Imprivata Admin Console, click the gear icon > Imprivata Access Management integrations.

  2. Paste the integration token, and click Integrate.

  3. Select Administrator console single sign-on using SAML.

    This setting is required to enable SSO access to your administrator consoles in the Imprivata Access Management portal.

If you have previously configured an identity provider (IdP) for access to the Imprivata Access Management portal (access.imprivata.com), you can create an integration token from the Imprivata Access Management portal instead of having to use the Imprivata Cloud Platform Tenant Setup wizard. To complete the configuration, you need the following:

  • Access to the Imprivata Admin Console.

  • Access to the Imprivata Access Management portal.

Add the Required Hosts to Your Firewall Allowlist

Ensure that your firewall policy is configured to allow communication between the Imprivata appliances and the production Imprivata Cloud Platform.

Add the following hosts to your firewall allowlist:

  • <tenantID>.sys.imprivata.com

  • astra.sys.imprivata.com

  • access.imprivata.com

  • metadata.app.imprivata.com

  • file-access.app.imprivata.com

  • idp.app.imprivata.com

NOTE:

For non-US regions, replace the .com with the appropriate domain suffix for your region, for example, *.sys.imprivata.eu.

Start the Imprivata Cloud Connect Service

By default, the Imprivata Cloud Connect service is disabled. You must enable the service before configuring the connection to the Imprivata Cloud Platform.

To start the service:

  1. In the Imprivata Appliance Console, go to System > Operations.

  2. Locate Imprivata Cloud Connect, and click Stop/restart options.

  3. Select Restart Imprivata Cloud Connect on all appliances, and click Go.

Copy your Enterprise Integration ID

Using the Imprivata Admin Console, copy your enterprise integration ID. You require this value to use the Imprivata Access Managemnt portal to create an integration token.

To copy your integration ID:

  1. In the Imprivata Admin Console, click the gear icon > Imprivata Access Management integrations.

    NOTE:

    A status message of Unable to verify integration. Unable to connect to Imprivata Access Management is expected.

  2. Copy the enterprise integration ID to your clipboard.

  3. Do not log out. You finish configuring the connection here after using the Imprivata Access Managemnt portal to create the integration token.

Create the Integration Token

Using the Imprivata Access Management portal, enter your enterprise integration ID to create an integration token. This token is required to finish configuring the connection in the Imprivata Admin Console.

To create the integration token:

  1. Log into the Imprivata Access Management portal.

  2. Click the gear icon. Navigate to Integrations.

  3. Under Enterprise Access Management integration, paste the integration ID into Enterprise integration ID.

  4. Click Create integration token and copy it.

  5. Return to the Imprivata Admin Console to finish configuring the connection.

Complete the Connection

Using the Imprivata Admin Console, finish configuring the connection to the Imprivata Cloud Platform using the integration token you created.

To finish the configuration:

  1. In the Imprivata Admin Console, click the gear icon > Imprivata Access Management integrations.

  2. Paste the integration token, and click Integrate.

  3. Select Administrator console single sign-on using SAML.

    This setting is required to enable SSO access to your administrator consoles in the Imprivata Access Management portal.

Configure Administrator Access to the Imprivata Access Management Portal

Configure administrator access to the Imprivata Access Management portal to enable your Imprivata Cloud Platform tenant. Configuring administrator access requires that you configure an IdP for user authentication.

You can configure:

  • Imprivata to function as an internal IdP.

    • Doing so creates a tenant-specific identity directory with a local administrator, which provides quick access to the Imprivata Access Management portal without the need for an external IdP.

    • After configuring Imprivata as the IdP, you can configure an external IdP at any time.

  • Any external third-party IdP. For example, Microsoft Entra ID.

To configure Imprivata Directory:

  1. Open the Imprivata Access Management setup.

  2. Agree to the Cloud Features Agreement and enter information about your organization.

  3. Skip to the Imprivata Identity Provider Connect screen.

  4. Enter a domain for the Imprivata Directory.

    NOTE:

    The domain name must be unique and cannot be reused across multiple tenants.

  5. Enter a username and password for the initial administrator, and note the complete Imprivata username, which includes the Imprivata Directory domain

    You require the complete username to log in to the Imprivata Access Management portal.

  6. Skip to the You're ready to go screen, and click the link to log in to the Imprivata Access Management portal.

You can configure Entra ID as an IdP to authenticate users to the Imprivata Access Management portal. You require access to the following to complete the configuration:

  • The Imprivata Access Management setup.

  • The Microsoft Entra Admin center.

Save the Imprivata Service Provider Metadata

Use the Imprivata Access Management setup to create the Imprivata SP metadata file. You require this file when configuring the Entra ID enterprise application.

To create the metadata file:

  1. Open the Imprivata Access Management setup.

  2. Agree to the Cloud Features Agreement and enter information about your organization.

  3. Skip to the Identity Provider Connect screen.

  4. Copy the Imprivata SP metadata URL, paste it into a new browser tab, and save the page as an XML file.

Do not close the setup. You finish configuring the connection here after you configure the enterprise application.

Configure the Entra ID App

An Entra ID enterprise application is required to allow SAML-based SSO to the Imprivata Access Management portal.

To configure the enterprise application:

  1. From the Azure portal, go to Microsoft Entra ID.

  2. Click Manage > Enterprise Applications > New application.

  3. Click Create your own application.

  4. Enter a name for the application, select Integrate any other application you don't find in the gallery, and then click Create.

  5. From the Overview page, click Assign users and groups, and then add the Imprivata admin user group.

  6. Go to the Overview page, click Set up single sign-on, and then select SAML.

  7. Click Upload metadata file, and upload the Imprivata SP metadata file you created previously.

  8. Under Basic SAML Configuration, click Edit, and enter the following Sign on URL: https://access.imprivata.com.

  9. Save the settings.

Copy and Save Entra App Values

Copy and save required federation and group attribute values from the enterprise application. You will use these values to complete the SAML configuration and specify the Imprivata admin group.

To locate the required values:

  1. Go to SAML certificates, and copy the App Federation Metadata URL.

  2. Under Attributes & Claims, click Edit, and copy the claim name for the user groups value.

    Example: http://schemas.microsoft.com/ws/2008/06/identity/claims/groups

    NOTE:

    If the user group claim does not exist, create it. When creating it, select Groups assigned to the application and use Group ID as the source attribute.

  3. Return to the Microsoft Entra ID Overview page.

  4. Click Manage > Groups >All groups.

  5. Locate the admin group and copy its object ID.

Return to the Imprivata Access Management setup to finish the configuration.

Use the Entra App Values to Finish the Configuration

With the federation and group attribute values you had previously saved, use the Imprivata Access Management setup to finish the SAML configuration and specify the Imprivata admin group.

To finish the configuration:

  1. Open the Imprivata Access Management setup, and return to the Identity Provider Connect screen.

  2. Enter your organization's domain and a user-friendly display name.

  3. Enter the SAML IdP metadata URL from the enterprise application, and click Continue.

  4. Enter the user group claim name in to SAML attribute name.

  5. Enter the object ID of the admin group in to SAML attribute value, and click Continue.

    If you are specifying multiple admin groups, the object IDs must be comma-separated.

  6. Click access.imprivata.com to log in to the Imprivata Access Management portal.

NOTE:

Specifying a metadata URL allows for easier maintenance. The system automatically polls the URL at regular intervals.

This ensures that your IdP configuration stays up to date with the latest metadata, such as certificate changes.

If you upload a metadata file instead, the system does not update it automatically. From the Imprivata Access Management portal, you must edit the configuration to replace the file manually or switch to a URL.

The following are generic steps to configure any external third-party IdP to authenticate users to the Imprivata Access Management portal. For example, these steps apply to Ping Identity and Okta.

To configure your IdP:

  1. Open the Imprivata Cloud Tenant Setup wizard.

  2. If you have not already, agree to the Cloud Features Agreement and enter information about your organization.

  3. Go to the Identity Provider Connect screen.

  4. Copy the Imprivata SP metadata URL and provide it to your IdP. When configuring the IdP's application:

    • Specify https://access.imprivata.com for the single sign-on URL.

    • Recommended: configure email address as the NameID format for user identity.

    • Recommended: configure Group ID (rather than group name) as the source attribute for group claims.

  5. Enter the SAML IdP metadata URL, and click Continue.

  6. Enter the SAML name/value pair that identifies users with administrative access, and click Continue.

  7. Click Go to Access URL: access.imprivata.com to test the authentication workflow to access Imprivata Access Management.

Stop and Restart This Connection

You can stop and restart this connection for the whole enterprise from any Imprivata Appliance Console, or on an appliance-by-appliance basis. The two statuses for the connection are Running or Disabled (stopped).

  1. In the Imprivata Appliance Console, go to System > Operations > Imprivata Cloud Connect.

  2. Imprivata Cloud Connect status is either Running or Disabled (stopped).

  3. Select Stop/restart options.

  4. Select from:

    • Stop Imprivata Cloud Connect on this appliance

    • Restart Imprivata Cloud Connect on this appliance

    • Stop Imprivata Cloud Connect on all appliances

    • Restart Imprivata Cloud Connect on all appliances

      NOTE:

      In this context, "Restart" means "start this stopped connection" and also "restart this connection that is already running".

  5. Click Go.