Login Behavior

The Imprivata Application Profile Generator (Imprivata APG) and Single Sign-On (SSO) feature lets your enterprise identify authentication-related screens within third-party applications. EAM logs into those applications based on the user's EAM desktop session. The application logins are based on credentials of that desktop session's user.

The APG now extends EAM Clinical Workflows to Windows application authentication within the APG workflow.

The screens can be an initial application login screen, or re-authentication screens within the application (for additional authentication before sensitive actions).

For complete details of profiling applications for SSO, see Preparing to Create Application Profiles.

Requirements

  • The authentication will prompt the same user as the desktop session (a re-authentication).

  • The application must be a Windows application using the default APG learning method (WinProbe).

  • Applications not supported:

    • Browser apps

    • UIA learning (ALT key when learning)

    • GDI learning (Shift key when learning)

    • Host-based (terminal emulator)

    • Java

    • MDI screens (Control key when learning)

  • The application must share credentials with the domain.

  • Your enterprise must have an Imprivata Enterprise Access Management Clinical Workflows license.

  • The administrator using APG to setup this feature does not need an individual Clinical Workflow license to configure the page, but does need a Clinical Workflow license to use APG Test Mode to test the feature.

  • Users must be licensed for Clinical Workflows.

Configure Clinical Workflows

Configure the clinical workflows required for your application profile.

  1. In the Imprivata Admin Console, go to UsersWorkflow policy.

  2. In the section Clinical workflows, select the authentication methods required.

  3. Associate user policies with the clinical workflow.

  4. Click Save.

For complete details, see Clinical Workflows.

Configure Login Behavior

Create a new application profile, or edit and existing profile.

  1. In the Imprivata Admin Console, go to Applications > Single-sign on application profiles.

  2. Go to Add App ProfileWindows application using APG, or select a profile to edit.

  3. Go to Login > Login Behavior, and choose how users log in with this screen:

    • Use E-prescribe non-controlled substances policy settings

    • Use Different user authentication policy settings

    • Use User verification (regulated) policy settings

    • Use User verification (non-regulated) policy settings

    • Single sign-on is the default behavior (EAM logs into the application based on the user's EAM desktop session).

  4. If one of the Clinical Workflows is selected, you can also customize the caption. "Confirm your identity" is the default.

Proxy Once

If one of the Clinical Workflows is selected, the option to proxy credentials after the first login is disabled.

Best Practice — Automatic Submit

When entering username and password, the best practice is to automatically submit the credentials after the EAM MFA authentication is done. This prevents a user from changing the credentials manually, which defeats the purpose of the application profile.

Enable automatic submit: in the application profile > When entering username and password, should this form be automatically submitted? Select Yes.

Optional — Customized Keystrokes and Mouse Clicks

Alternatively, the admin can select No to use customized keystrokes and mouse clicks. See Advanced Credential Proxy Techniques.

Sharing Credentials

In the APG profile > Credentials, select This application shares credentials and with the domain only.

API Access

  1. API Access — in the Imprivata Admin Console, go to the gear iconAPI access. In the section Confirm ID - API access and security, select one of the following:

    • Allow restricted API access via Confirm ID — The minimum level required for this feature.

    • Allow full API access via Confirm ID — Less secure option, only select if this access is required for other reasons.

  2. Click Save.

Enroll Authentication Methods

Before deploying the application profile, ensure all users in your user policy have enrolled any required authentication methods: the Imprivata enrollment utility is available by clicking the Imprivata icon in the Microsoft Windows notification area, and then click Enroll Authentication Methods.

Deploy the Application Profile

After you complete your application profile, deploy it to the Imprivata agents in your enterprise. For custom or default deployment options, see Deploying Application Profiles.