Spine Combined Workflow — Virtual Smartcards

Support for Spine applications reduces the time users must wait when re–authenticating to those applications during their shift.

After users successfully completed two-factor authentication at login, Imprivata Enterprise Access Management manages subsequent Spine authentication requests. Delegating the requests to Enterprise Access Management removes the delays associated with network factors, such as load and latency, that can exist between your enterprise and the Spine.

Virtual smartcards allow for improved remote and mobile workflows with the Spine while maintaining the security delivered by Enterprise Access Management and Spine Combined Workflow.

The virtual smartcard is designed to work with the NHS Identity agent and the Care Identity Service to minimize re-training on new systems. People assigned as Registration Authorities create user smartcards the way they always have, but now with options for physical or virtual smartcards.

For complete details of physical smartcards, see Spine Combined Workflow — Physical Smartcards

NOTE: An Imprivata with SSO Spine Combined Workflow license, as well as an Authentication Management license, are required for this feature. The Spine Combined Workflow is licensed on a per–user basis. Every user that is assigned to a user policy that is configured for Spine support requires a license.

  • The NHS Digital Identity Agent and NHS Credential Manager must be installed on all endpoint computers that require access to Spine applications using Microsoft Edge or Google Chrome. Versions depend on the version of OneSign in your environment as detailed here:

  EAM 24.2 HF2 or later All other supported EAM versions
NHS Identity Agent version 2.4.6.0 2.4.5.0
NHS Credential Manager version 1.4.2.0 1.3.1.0

  • NHS guidelines require two–factor authentication. Verify that your Enterprise Access Management user policy is configured accordingly. For more information on configuring two–factor authentication, see Configuring Authentication Methods in User Policies.

  • Proximity card or Fingerprint readers (if used for two-factor authentication)

  • Two smartcard readers attached to workstations used for generating virtual smartcards

  • Microsoft Windows workstations with the Imprivata agent

  • For using Virtual Smartcards:

    • Internet Explorer 11, Microsoft Edge or Google Chrome requires the Imprivata agent 7.5 or later

  • For generating virtual Smartcards:

    • Imprivata agent 7.10 or later for Microsoft Edge or Google Chrome

    • Imprivata agent 7.5 or later for Internet Explorer 11

  • Access to the NHS Care Identity Service

  • NHS Care Identity Service URLs

  • VDI support for Spine Combined Workflow on Windows endpoints and supported Imprivata ProveID Embedded thin and zero clients

  • VDI support for Spine Combined Workflows using Chromebook. For information on configuring Chrome, see "Support for Applications that run in Google Chrome".

Configure Connection to Spine Security Broker

In the Imprivata Admin Consolegear iconSettingsSpine Combined Workflow, enter the URLs for the NHS Digital Identity Agent settings.

The environment configured here must match the environment that the Identity Agent is using (production, integration, development). To confirm which environment the Identity Agent is using, view these registry keys:

  • 32 bit — HKEY_LOCAL_MACHINE\SOFTWARE\HSCIC\Identity Agent

  • 64 bit — HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\HSCIC\Identity Agent

The value ActivatePOSTURL has the proper prefix for the URLs.

NOTE:

The Imprivata appliance uses these URLs to create an outbound connection to the Spine Security Broker from within your datacenter. Make sure your enterprise firewall allows this. For complete details, see About Outbound Communications.

NHS SSB Certificates

Valid NHS SSB certificates are installed by default, and do not need replacing until expiration.

  1. 1. To update expiring certificate(s), download replacement SSB certificate(s) from the NHS Digital website.

  2. In the Imprivata Admin Console, go to the gear icon > Settings page > Spine Combined Workflow section.

    All existing certificates are listed on this page, with the expiration date and issuer. You can add and remove certificates here.

    Upload the replacement SSB certificate. The file extension must be .cer or .crt

Expiring Certificates

Imprivata sends alerts when certificates are due to expire within 30 days.

You will see an alert on the Imprivata Admin Console, and if your enterprise is configured for email notifications, email notification will be sent as well.

Configure an Imprivata user policy dedicated to Spine Combined Workflow users:

  1. In this user policy > AuthenticationSpine Combined Workflow, select Allow persistence of Spine Combined Workflow session.

  2. Specify a grace period of up to 12 hours.

    After users authenticate for the first time, the grace period duration determines how long the appliance manages subsequent Spine authentication requests.

    BEST PRACTICE: Specify an Enterprise Access Management grace period that corresponds to the typical length of the shift, and use this value to control when users must re-authenticate to the Spine. When the Spine Combined Workflow is enabled, the grace period must fall within the duration of the grace period that the Spine Security Broker specifies.

  3. Click Save.

Configure Registration Authority Users

An Registration Authority user (RA) does not need administrator access to the Imprivata Admin Console — by design, RAs are distinct from Enterprise Access Management administrators, and can associate smartcards with Enterprise Access Management users via the Imprivata agent menu.

RAs can be enabled for Spine Combined Workflow and use it for application authentication as any other user would.

When generating physical or virtual smartcards, RAs can use Spine Combined Workflow to access the Care Identity Service.

When generating physical or virtual smartcards, the RA’s physical smartcard card must be in the smartcard reader.

CAUTION:

Registration Authority users should not assign virtual smartcards to other RAs, or to themselves. No RA should be issued a virtual smartcard.

To enable a user as an RA, they must be added to a User Policy enabled for Spine Combined Workflow already:

  1. In the Imprivata Admin Console, go to UsersUsers, and select a user.

  2. In the section Spine Combined Workflow, select User is a Registration Authority.

  3. Click Save.

Issue Virtual Smartcards

Registration Authority users (RAs) can generate both physical and virtual smartcards in the Care Identity Service when using the Enterprise Access Management Spine Combined Workflow. The workstation used for generating virtual smartcards must have the Imprivata agent installed, and two smartcard readers attached to it. To generate a smartcard, the RA’s smartcard must be present in one of the smartcard readers. This gives the necessary permissions to generate a user smartcard.

Generate a Physical Smartcard

To generate a physical smartcard, the RA follows the existing and established steps to generate a physical smartcard.

Smartcard Reader As Printer

When using smartcard printers as the second reader, add a registry key that tells Enterprise Access Management to ignore this device as a reader: HKEY_LOCAL_MACHINE\SOFTWARE\SSOProvider\DeviceManager\Devices\PKISC

For smartcard readers recognized by ScardAPI (Proxcard):

  • HKEY_LOCAL_MACHINE\SOFTWARE\SSOProvider\DeviceManager\Devices\Prox\Providers\ScardAPI

  • Key Name — SkipReaders

  • Key Type — REG_MULTI_SZ

NOTE:

Note: This is a multistring Key Value: Reader Name as it appears recognized in the traces by Enterprise Access Management. OMNIKEY 3x21

Generate a Virtual Smartcard

You can generate a virtual smartcard using the Care Identity Management (CIM) system or the Care Identity Service (CIS).

To generate a virtual smartcard, the RA's smartcard is in one reader, and the second reader/printer must be empty. In the CIM or CIS Issue Smartcard popup, select continue without smartcard print. The virtual smartcard will be generated on your Imprivata appliance. In the next section, this virtual smartcard generated for a CIM or CIS user will be enrolled for them with their Enterprise Access Management user identity.

Enroll Virtual Smartcards

After a virtual smartcard has been generated, it is held securely on your Imprivata appliance, but it is not enrolled with a Enterprise Access Management user yet. A Registration Authority user (RA) must enroll it with an Enterprise Access Management user:

  1. On the Imprivata agent menu, select Manage Virtual Smartcards

  2. Search for and select the user, then click Assign VSC.

  3. From the Select virtual smartcard popup, find the unassigned virtual smartcard with the Care Identity Service username and serial number that matches the virtual smartcard you generated earlier.

  4. Click Select.

Enable CIS Passcode for Virtual Smartcards

You can enable the Care Identity Service (CIS) passcode to provide an additional level of security. Any virtual smartcards created after the CIS Passcode is enabled will require their users to provide their CIS Passcode on login.

CIS Passcode Considerations

Consider the following before you enable the CIS Passcode functionality in your environment.

CAUTION:

Once activated, CIS Passcode for Virtual Smartcards cannot be deactivated. It can only be reversed by restoring your environment from a backup. For this reason Imprivata strongly recommends backing up your system before you activate CIS Passcode.

  • The feature is only applicable to Virtual Smartcards created after activation. Virtual Smartcards created before activation will not employ this feature. Both types of Virtual Smartcard can be used if you have the latest server and client.

  • After activation, users will be required to log in to using Imprivata MFA for access to the Virtual Smartcard feature, and also must provide their CIS Passcode once per day. The OneSign user PIN and the CIS Passcode are and can be different.

  • Imprivata strongly recommends updating all clients and servers before activating Virtual Smartcard Support for CIS Passcode

  • Environments with mixed clients will affect the end user workflow and experience. Virtual Smartcards created before you enable this feature will work with all old and new clients as expected. Virtual Smartcards protected by CIS Passcode require the newer client

  • The CIS Passcode can be changed by the user, using the NHS Care Identity Service. If a user forgets their CIS Passcode, a new Secure Virtual Smartcard must be issued by a Registration Authority

  • Enabling CIS Passcode changes both Registration Authority and end user workflows, so consider any required additional training

  • With an older client, Virtual Smartcard Passcode falls back to the standard behavior of asking for a physical smartcard and physical smartcard passcode using the NHS Identity Agent

  • A user has a maximum of three failed attempts to supply their Secure Virtual Smartcard PIN, whether or not the attempts are on the same or different computers. After the third failed attempt, the card will be locked, and the user will be prompted to use a physical card and corresponding passcode.

To enable CIS Passcode:

  1. In the Imprivata Admin Console, go to the gear icon > Settings page > Spine Combined Workflow section.

  2. In the Additional Security section, select require all virtual smart card users to provide CIS passcode. A confirmation window warning that this activation cannot be reversed appears.

  3. Click Yes if you have reviewed the considerations in this section and still wish to proceed.

Self-Service Virtual Smartcard Renewal

Users can renew their own virtual smartcards from the existing NHS Care Identity Service site.

When a virtual smartcard is expiring, an Imprivata popup warning appears at workstation login, showing the remaining effective days. Users must renew the smartcard before it expires in order to use the self-service feature. After expiration, users must go to the NHS Registration Authority.

To renew a virtual smartcard:

  1. Ensure that no smartcard is inserted into the smartcard reader, if present.

  2. Log in to the NHS Care Identity Service site, and click on your username at the top of the window.

  3. Scroll down to the Smartcard Details table, select the smartcard you want to renew and click Service. If there are multiple entries, use the expiration date to identify the correct entry.

  4. In the SmartCard Service dialog , select the renew service radio button and click Continue.

  5. Enter any 6- 8 numbers in the"'enter passcode" field, and click Confirm. This passcode can only be numbers and need not be retained for later use. Note that the dialog may display a "Please insert Smartcard before confirmation" message. This is a CIS-generated message for physical smartcards and can safely be ignored.

  6. The dialog displays renewal progress, and an Imprivata popup success message appears.

Spine Authentication Workflow with a Virtual Smartcard

  1. At the beginning of the shift, the user authenticates to Enterprise Access Management using two–factor authentication.

  2. The user opens a Spine application.

    Enterprise Access Management contacts NHS Spine and authenticates the user's virtual smartcard on their behalf. The virtual smartcard authentication is transparent to the user: the Spine application opens immediately.

Change Virtual Smartcard Roles

User with virtual smartcards can change roles without closing their Spine session and re-authenticating. These users can go to the Imprivata agent menu and select Set Spine Role to:

  • View their current Role

  • Select a new default Role for future sessions

  • Change Roles; after they change roles on this Imprivata agent menu, the user may have to restart an open Spine application for the change to take effect.

This feature is not available when using physical smart cards. Users authenticating with physical smart cards must close their Spine session and re-authenticate to change roles.