Face Recognition Authentication

Imprivata Enterprise Access Management supports Face recognition authentication for Desktop Access on Type 1 Imprivata agent endpoints.

Enabling Face recognition authentication requires that you:

  • Configure a connection to the Imprivata Cloud Platform.

  • Configure an identity provider (IdP) to authenticate users to the Imprivata Access Management portal.

  • Configure Entra ID and sync your users with the Imprivata Cloud Platform.

  • Configure a user policy to enable Face recognition.

Requirements

  • Face recognition authentication requires an Authentication Management license and a Confirm ID for Remote Access license.

  • Users in a policy enabled for facial biometric must be synced from Active Directory (AD) to Entra ID.

  • The endpoint computers can be either AD-only or hybrid joined AD/Entra ID.

  • The cloud must be synced from AD to Entra ID with Entra Connect.

  • Each user in scope for the Face recognition workflow must exist within Entra ID, and each user must also be allocated a Microsoft Entra ID license P1 or higher.

  • Internet access is required for face recognition authentication. If the endpoint cannot connect with your Imprivata Cloud Platform, an error message will appear during authentication. The connection between the endpoint and your Imprivata appliance is not required.

  • A 1080p camera must be installed and enabled at the endpoint computer. Modern cameras capable of handling Zoom video conferencing are sufficient.

Configure the Connection to the Imprivata Cloud Platform

Enabling Face recognition requires a connection to the Imprivata Cloud Platform. You need the following to complete the configuration:

  • Access to the Imprivata Appliance Console.

  • Access to the Imprivata Admin Console.

  • Optional — a PNG, JPG, or GIF of your organization logo (200 x 100 pixels or smaller, max 100KB).

NOTE:

If you have already configured a connection to the Imprivata Cloud Platform, you can skip this step.

You can use either of the following methods to configure the connection.

Before you begin:

  • Determine if a connection to the Imprivata Cloud Platform has already been configured by logging into the Imprivata Admin Console. The status of the connection is available in the Status panel on the right-hand side. A green check mark for Access Management integration indicates a connection has been configured.

  • If you need to configure the connection, contact Imprivata Services. Imprivata Services will create an Imprivata Cloud Platform tenant for your enterprise, and send a Welcome email with a link to the Imprivata Access Management setup. Click the link in the email and follow the wizard to configure the connection.

Complete the following steps to use the Imprivata Access Management setup to configure the connection. To complete the configuration, you need the following:

  • Access to the Imprivata Appliance Console.

  • Access to the Imprivata Admin Console.

  • Optional — a PNG, JPG, or GIF of your organization logo (200 x 100 pixels or smaller, max 100KB).

Start the Imprivata Cloud Connect Service

By default, the Imprivata Cloud Connect service is disabled. You must enable the service before configuring the connection to the Imprivata Cloud Platform.

To start the service:

  1. In the Imprivata Appliance Console, go to System > Operations.

  2. Locate Imprivata Cloud Connect, and click Stop/restart options.

  3. Select Restart Imprivata Cloud Connect on all appliances, and click Go.

Copy your Enterprise Integration ID

Using the Imprivata Admin Console, copy your enterprise integration ID. You require this value to use the Imprivata Cloud Tenant Setup wizard to create an integration token.

To copy your integration ID:

  1. In the Imprivata Admin Console, click the gear icon > Imprivata Access Management integrations.

    NOTE:

    A status message of Unable to verify integration. Unable to connect to Imprivata Access Management is expected.

  2. Copy the enterprise integration ID to your clipboard.

  3. Do not log out. You finish configuring the connection here after using the Imprivata Cloud Tenant Setup wizard to create the integration token.

NOTE:

For more information on starting the Imprivata Cloud Connect service, see Stop and Restart This Connection.

Create the Integration Token

Using the Imprivata Imprivata Access Management setup, enter your enterprise integration ID to create an integration token. This token is required to finish configuring the connection in the Imprivata Admin Console.

To create the integration token:

  1. Open the Imprivata Imprivata Access Management setup.

  2. If you have not already, agree to the Data Processing Addendum and enter information about your organization.

  3. Go to the Connect to Enterprise Access Management screen, and paste the integration ID into Enterprise integration ID.

  4. Click Create integration token and copy it.

  5. Return to the Imprivata Admin Console to finish configuring the connection.

Complete the Connection

Using the Imprivata Admin Console, finish configuring the connection to the Imprivata Cloud Platform using the integration token you created.

To create the integration token:

  1. In the Imprivata Admin Console, click the gear icon > Imprivata Access Management integrations.

  2. Paste the integration token, and click Integrate.

If you have previously configured an identity provider (IdP) for access to the Imprivata Access Management portal (access.imprivata.com), you can create an integration token from the Imprivata Access Management portal instead of having to use the Imprivata Cloud Platform Tenant Setup wizard. To complete the configuration, you need the following:

  • Access to the Imprivata Admin Console.

  • Access to the Imprivata Access Management portal.

Start the Imprivata Cloud Connect Service

By default, the Imprivata Cloud Connect service is disabled. You must enable the service before configuring the connection to the Imprivata Cloud Platform.

To start the service:

  1. In the Imprivata Appliance Console, go to System > Operations.

  2. Locate Imprivata Cloud Connect, and click Stop/restart options.

  3. Select Restart Imprivata Cloud Connect on all appliances, and click Go.

Copy your Enterprise Integration ID

Using the Imprivata Admin Console, copy your enterprise integration ID. You require this value to use the Imprivata Access Managemnt portal to create an integration token.

To copy your integration ID:

  1. In the Imprivata Admin Console, click the gear icon > Imprivata Access Management integrations.

    NOTE:

    A status message of Unable to verify integration. Unable to connect to Imprivata Access Management is expected.

  2. Copy the enterprise integration ID to your clipboard.

  3. Do not log out. You finish configuring the connection here after using the Imprivata Access Managemnt portal to create the integration token.

Create the Integration Token

Using the Imprivata Access Management portal, enter your enterprise integration ID to create an integration token. This token is required to finish configuring the connection in the Imprivata Admin Console.

To create the integration token:

  1. Log into the Imprivata Access Management portal.

  2. Click the gear icon. Under Configuration, click Integrations.

  3. Under Enterprise Access Management integration, paste the integration ID into Enterprise integration ID.

  4. Click Create integration token and copy it.

  5. Return to the Imprivata Admin Console to finish configuring the connection.

Complete the Connection

Using the Imprivata Admin Console, finish configuring the connection to the Imprivata Cloud Platform using the integration token you created.

To create the integration token:

  1. In the Imprivata Admin Console, click the gear icon > Imprivata Access Management integrations.

  2. Paste the integration token, and click Integrate.

Configure Administrator Access to the Imprivata Access Management Portal

Configuring an IdP is required to authenticate administrators to the Imprivata Access Management portal. You need access to the Imprivata Access Management portal to synchronize your Entra ID users with the Imprivata Cloud Platform.

You can configure:

  • Imprivata to function as an internal IdP.

    • Doing so creates a tenant-specific identity directory with a local administrator, which provides quick access to the Imprivata Access Management portal without the need for an external IdP.

    • After configuring Imprivata as the IdP, you can configure an external IdP at any time.

  • Any external third-party IdP. For example, Microsoft Entra ID.

NOTE:

If you have already configured access to the Imprivata Access Management Console, you can skip this step.

To configure Imprivata as the IdP:

  1. Open the Imprivata Access Management setup.

  2. If you have not already, agree to the Data Processing Addendum and enter information about your organization.

  3. Go to the Imprivata Identity Provider Connect screen.

  4. Enter a subdomain name. For example, the name of your organization.

  5. Enter the credentials for the local administrator, and click Continue.

  6. Skip the remaining screens. Click Go to Access URL: access.imprivata.com to test the authentication workflow to access Imprivata Access Management.

You can configure Entra ID as an IdP to authenticate users to the Imprivata Access Management portal. You require access to the following to complete the configuration:

  • The Imprivata Access Management setup.

  • The Microsoft Entra Admin center.

Save the Imprivata Service Provider Metadata

Using the the Imprivata Access Management setup, copy the Imprivata SP metadata URL. You use this URL to save the metadata as an XML file, which you upload to your Entra app.

To save the metadata URL as an XML file:

  1. Open the the Imprivata Access Management setup.

  2. If you have not already, agree to the Data Processing Addendum and enter information about your organization.

  3. Go to the Identity Provider Connect screen.

  4. Copy the Imprivata SP metadata URL, paste it into a new browser tab, and save the page as an XML file.

  5. Do not close the wizard. You finish configuring the connection here after you configure your Entra app.

Configure the Entra ID App

Using the Microsoft Entra Admin center, configure the Entra ID app to support authentication into the Imprivata Access Management portal.

To configure the Entra app:

  1. In the Entra app, click Microsoft Entra ID > Manage > Enterprise Applications > New application.

  2. Click Create your own applications.

  3. Enter a display name for the application, select Integrate any other application you don't find in the gallery, and then click Create.

  4. Go to Overview > Assign users and groups, and add the users/groups who require administrative access to the Imprivata Access Management portal.

  5. Click Set up single sign-on, and select SAML as the single sign-on method.

  6. Click Upload metadata file and upload the Imprivata SP metadata file you created previously.

  7. Under Basic SAML Configuration, click Edit, specify https://access.imprivata.com for the single sign-on URL, and then click Save and Close.

Use the Entra App Values to Finish the Configuration

Using the Imprivata Access Management setup, finish configuring Entra ID as an IdP using the Entra app values saved previously.

To finish the configuration:

  1. Open the Imprivata Access Management setup, and go to the Identity Provider Connect screen.

  2. Enter the SAML IdP metadata URL of the Entra app, and click Continue.

  3. Paste the administrator group's claim name into SAML attribute name.

  4. Paste the administrator group's Object ID into SAML attribute value, and click Continue.

  5. Click Go to Access URL: access.imprivata.com to test the authentication workflow to access the Imprivata Access Management portal.

The following are generic steps to configure any external third-party IdP to authenticate users to the Imprivata Access Management portal. For example, these steps apply to Ping Identity and Okta.

To configure your IdP:

  1. Open the Imprivata Cloud Tenant Setup wizard.

  2. If you have not already, agree to the Data Processing Addendum and enter information about your organization.

  3. Go to the Identity Provider Connect screen.

  4. Copy the Imprivata SP metadata URL and provide it to your IdP. When configuring the IdP's application:

    • Specify https://access.imprivata.com for the single sign-on URL.

    • Recommended: configure email address as the NameID format for user identity.

    • Recommended: configure Group ID (rather than group name) as the source attribute for group claims.

  5. Enter the SAML IdP metadata URL, and click Continue.

  6. Enter the SAML name/value pair that identifies users with administrative access, and click Continue.

  7. Click Go to Access URL: access.imprivata.com to test the authentication workflow to access Imprivata Access Management.

Configure Entra ID and sync your users with the Imprivata Cloud Platform

Additional Entra ID configuration is required to enable Face recognition. Complete the following steps.

From the Microsoft Entra admin center, add the trusted Imprivata IP addresses.

To add the IP addresses:

  1. Go to Microsoft Entra ID > Manage > Security, and select Manage > Named locations.

  2. Select IP ranges location.

  3. Enter a name for the new location ("Imprivata Cloud", for example) and select Mark as trusted location.

  4. Go to the Imprivata Identity Provider Connect screen.

  5. Add the following IP addresses:

    • 44.207.16.175/32

    • 44.196.189.191/32

    • 34.195.47.118/32

  6. Click Save.

If you use "per-user" multifactor authentication, adding the Imprivata Cloud Platform to the "per-user" MFA trusted IPs is required.

To add the IP addresses:

  1. Go to Microsoft Entra ID Overview > Manage > Users, and select Per-user multifactor authentication.

  2. Select the Server Settings tab.

  3. Add the following IP addresses:

    • 44.207.16.175/32

    • 44.196.189.191/32

    • 34.195.47.118/32

  4. Click Save.

Password Hash Sync is required, unless you have enabled Microsoft Entra pass-through authentication.

To enable Password Hash Sync:

  1. Go to Microsoft Entra ID Overview > Manage > Microsoft Entra Connect.

  2. Select the Connect Sync, and verify that Password Hash Sync is enabled.

  3. If it is not enabled, configure Password Hash Synchronization in the Microsoft Entra Connect Sync Agent.

Configure Imprivata Enterprise Access Management as a directory. Doing so, provides full user sync capabilities.

Syncing your users requires one of the following:

  • Entra ID Global Administrator rights

  • Privileged Role Administrator rights

To sync Entra ID users:

  1. Log into the Imprivata Access Management portal (access.imprivata.com).

  2. Click the gear icon.

  3. On the Entra ID users tab, click Add an Entra ID directory now.

    The Add Entra ID as a directory window opens.

  4. Paste your Entra ID Tenant ID, and click Continue to Microsoft Authentication.

  5. Click specify groups now. Enter groups names to find and add them.

  6. Click Update now to sync users.

NOTE:

After a user has enrolled their face, you can return to this page to remove the enrollment, if necessary. Click the overflow menu next to their name, and then Remove.

If you are using federated authentication, this step is required.

The Imprivata Cloud Platform must be able to validate user passwords when entered. In a federated environment, Imprivata needs to avoid these calls from being redirected to the federated identity provider (IdP). You must change the home realm discovery policy for authentication from the Imprivata Cloud to your Entra ID tenant only. This only applies to authentication calls made by the Imprivata Access Management Sync.

To create and apply the Home Realm Discovery policy:

  1. Log in to Microsoft Graph Explorer.

    To make it more secure, log in as the Global Administrator.

  2. Consent to the Microsoft Graph explorer application in your tenant.

    For more information, see the Microsoft Graph API documentation.

  3. Create a home realm discovery policy by making the following HTTP request:

    POST - https://graph.microsoft.com/v1.0/policies/homeRealmDiscoveryPolicies

    Request body

    In the request body, supply a JSON representation of the homeRealmDiscoveryPolicy object:

    Copy 
    {
            "displayName": "yourPolicyName",
            "definition": [
            "{\"HomeRealmDiscoveryPolicy\": 
            {\"AllowCloudPasswordValidation\":true, } }"
            ],
            "isOrganizationDefault": false
    }

    Response

    If successful, this method returns a 201 Created response code and a new homeRealmDiscoveryPolicy object in the response body.

    Example Response
    Copy 
    {
            "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#policies/homeRealmDiscoveryPolicies",
            "value": [
            {
                "id": "239cbead-1111-654a-9f50-1467d691aaa",
                "deletedDateTime": null,
                "definition": [
                "{\"HomeRealmDiscoveryPolicy\" : { \"AllowCloudPasswordValidation\":true, } }"
                ],
                "displayName": "Exclude Federated Authentication ",
                "isOrganizationDefault": false
            }
        ]
    }

  4. Assign the home realm discovery policy to the Imprivata Access Management Sync application by making the following HTTP request:

    POST - https://graph.microsoft.com/v1.0/servicePrincipals/<the Imprivata Access Management Sync application object id>/homeRealmDiscoveryPolicies/$ref

    Request body

    In the request body, supply the identifier of the homeRealmDiscoveryPolicy object that should be assigned.

    Copy 
    {
        "@odata.id":"https://graph.microsoft.com/v1.0/policies/homeRealmDiscoveryPolicies/<yourHomeRealmDiscovery_PolicyID>"
    }
    Response

    If successful, this method returns a 204 No Content response code.

  5. Verify that the home realm discovery policy was successfully applied to the service principal by making the following HTTP request:

    GET - https://graph.microsoft.com/v1.0/policies/homeRealmDiscoveryPolicies/<homeRealmDiscoveryPolicy object id>/appliesTo

    Response
    Copy 
    {
            "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#directoryObjects",
            "value": [
            {
            "@odata.type": "#microsoft.graph.servicePrincipal",
            "id": "c1f8e0d4-25b0-46b2-aaa8-827822631a33",

    ...

 

You must exclude the Imprivata Access Management Sync app from your MFA conditional access policies for this feature. This requirement is due to a Microsoft blocker.

  1. In Entra ID, go to SecurityConditional Access, and select a policy that applies to your Imprivata users and requires MFA.

  2. To exclude your Imprivata app, go to Cloud apps or actionsCloud appsExcludeSelect excluded cloud apps, and select the Imprivata Access Management Sync app.

  3. Click Save.

  4. Repeat for all conditional access policies that apply to your Imprivata app and require MFA.

NOTE:

Microsoft-managed policies don't allow you to exclude specific cloud apps. If you have a Microsoft-managed policy that requires MFA, recreate it so you can exclude the Imprivata Access Management Sync app, and then turn off the Microsoft-managed policy.

Configure a User Policy

  1. In the Imprivata Admin Console, go to the User policies page > Authentication tab > Desktop Access authentication section.

  2. Select Face recognition as a primary factor.

  3. Select a second factor for Face recognition:

    • No second factor (Not recommended)

    • Security Key

    • Imprivata PIN

    • Password

    • Proximity Card

    • Device-bound passkey

    • Imprivata PIN or Device-bound passkey

    • Security Key or Imprivata PIN or Proximity Card or Device-bound passkey

      BEST PRACTICE:

      For enhanced protection against sophisticated attacks, pair Face Authentication with a strong second factor like device-bound passkey or proximity card.

  4. Select another primary factor if needed. For example, if users in this policy must authenticate at endpoints where Face recognition authentication is not available.

  5. Click Save.

Expected User Workflow

The first time a user begins the Desktop Authentication workflow:

  1. At the ImprivataEnterprise Access Management login screen, the user selects Use face.

    NOTE:

    At endpoints with a Type 2 agent installed, Proximity Card is the default, but Use face is still available to enroll.)

  2. The Set up Face recognition window opens. The user enters their username and password, then clicks Enroll Face recognition.

  3. The camera turns on, and the user is prompted to center their face in the frame and look at the camera.

  4. When the user's face biometric is successfully captured, the user is logged into the desktop.

NOTE:

A user's Face recognition enrollment can be deleted by the user: click on the Imprivata agent in the system tray > User Options > Manage Passwords.

The enrollment can also be deleted by an Imprivata Enterprise Access Management administrator from the user's page in the Imprivata Admin Console.

  1. At the ImprivataEnterprise Access Management login screen, the user selects Use facial bio. The name of the user currently selected for authentication is displayed on screen. If this is not the intended account, the user can change it by editing the username in the username/password hexagon before proceeding.

  2. The camera turns on, and the user is prompted to center their face in the frame and look at the camera.

  3. When the user's face biometric is successfully captured, the user is logged into the desktop.

    If their User Policy is configured with a second factor required for Desktop Authentication, the user completes that factor before the user is logged in.

  1. At the ImprivataEnterprise Access Management login screen, the user selects the available primary factor (Security Key, Password, or Proximity Card).

  2. The user successfully authenticates with their primary factor.

  3. The camera turns on, and the user is prompted to center their face in the frame and look at the camera.

  4. When the user's facial biometric is successfully captured, the user is logged into the desktop.

Stop and Restart an Imprivata Cloud Platform Connection

You can stop and restart this connection for the whole enterprise from any Imprivata Appliance Console, or on an appliance-by-appliance basis. The two statuses for the connection are Running or Disabled (stopped).

  1. In the Imprivata Appliance Console, go to System > Operations > Imprivata Cloud Connect.

  2. Imprivata Cloud Connect status is either Running or Disabled (stopped).

  3. Select Stop/restart options.

  4. Select from:

    • Stop Imprivata Cloud Connect on this appliance

    • Restart Imprivata Cloud Connect on this appliance

    • Stop Imprivata Cloud Connect on all appliances

    • Restart Imprivata Cloud Connect on all appliances

      NOTE:

      In this context, "Restart" means "start this stopped connection" and also "restart this connection that is already running".

  5. Click Go.