Single Sign On for the Admin Console

Imprivata enables Single Sign On access to your Patient Access Admin Console, and other Imprivata Admin Consoles, all from access.imprivata.com, powered by the Imprivata Cloud Platform.

Configure the secure connection between your identity provider (IdP) and the Imprivata Cloud Platform.

NOTE:

The Imprivata Access Management setup requires metadata from your identity provider's (IdP) console.

Open the console at the same time as the Imprivata Access Management setu so you can configure both as needed.

Patient Access Production and Non-Production Cloud Tenants

When Imprivata Services creates your Patient Access Cloud tenants, you will receive two: a production and a non-production Cloud tenant.

The Welcome email you receive contains links to both tenants' setup wizards. Click the links in the email and follow the prompts to complete the secure connections.

  • The production Cloud tenant should be used for your production environment.

  • The non-production (or sandbox) Cloud tenant can be used as a test or sandbox environment.

    IMPORTANT:

    You can configure your production and non-production tenants in any order you choose.

    However, the following configuration tasks assume that you are setting up the non-production environment first as a test environment.

    After setting up your non-production environment, you would follow the same configuration tasks again to set up your production environment, using the link to the production Cloud tenant.

    Any differences between the non-production and production environment are noted as needed.

Before You Begin

  • Optional — a PNG, JPG, or GIF of your organization logo (200 x 100 pixels or smaller, max 100KB).

  • Entra ID groups — define the groups for Patient Access Admin Console access for your non-production environment:

    • Admin group for access to the Imprivata Access Management portal.

      Define at least one Entra ID group that will have administrative access to the Imprivata Access Management portal.

      NOTE:

      This group can be the same as the Admin group you define for Patient Access administrators, or a separate group, if required.

    • Admin group for Patient Access administrators. In Microsoft Entra ID, move the Microsoft Entra ID Global Admin and any other admins you’d like administrating Patient Access into this group.

    • Managers group for Patient Access.

    • Viewers group for Patient Access.

      NOTE:

      When configuring your production environment, you can define similar groups specific to a production environment, or you can use the same groups as your non-production environment.

      For more information, see the system requirements and roles and permissions.

Configure the Connection to the Imprivata Cloud Platform

IMPORTANT:

The Imprivata Access Management setup supports several Imprivata products on the Imprivata Cloud Platform.

For Patient Access, you will skip some steps in the setup because they are for integrating other Imprivata products.

The Imprivata Access Management setup leads you through the following steps:

  1. Read the Data Processing Addendum and click Agree.

  2. On the Tell us about your organization page, add your organization's user-facing name, (optional) logo, and business email address and click Continue.

    NOTE:

    For non-production and production environments:

    • The user-facing organization name can be different. This should be a user-friendly name. Imprivata recommends appending "test" or "non-prod" to the name for your non-production environment so you can easily identify it.

    • The logos can be different. Imprivata recommends that you create a distinctive logo for your non-production and production environments, so that you can easily identify which environment you are using.

    • The business email address must use the same domain in the non-production and production environments, but the email address itself can be different.

    On the next page, click Continue to confirm your organization's details.

  3. On the Connect to Enterprise Access Management page, click Skip this to skip connecting to Imprivata Enterprise Access Management.

  4. On the Connect to Privileged Access Security instance page, click Skip this to skip integrating with Privileged Access Security.

  5. On the Imprivata Identity Provider page, click Skip this to skip setting up Imprivata as the identity provider.

  6. On the Identity provider: Connect page:

    1. Type a name in the Name this identity provider box.

      Imprivata recommends that this name be the same as the Microsoft Entra SAML Toolkit you will configure in a later step in Microsoft Entra ID.

Configure Microsoft Entra ID as The Identity Provider

This section provides details for Microsoft Entra ID configuration as the identity provider.

NOTE:

The Imprivata Access Management setup requires metadata from your identity provider's (IdP) console.

Open the console at the same time as the setup wizard so you can configure both as needed.

Unless otherwise noted, this section will need to be repeated for each Imprivata tenant type - non-production and production.

Using the Imprivata Access Management setup, copy the Imprivata SP metadata URL. You use this URL to save the metadata as an XML file, which you upload to your Entra app.

To save the metadata URL as an XML file:

  1. Go to the Identity Provider Connect screen.

  2. Copy the Imprivata SP metadata URL, paste it into a new browser tab, and save the page as an XML file.

  3. Do not close the wizard. You finish configuring the connection here after you configure your Entra app.

Using the Microsoft Entra Admin center, configure the Entra ID app to support authentication into the Imprivata Access Management portal.

To configure the Entra app:

  1. In the Microsoft Entra admin center:

    1. Create an Enterprise application for your non-production tenant:

      1. Select Microsoft Entra ID > Manage > Enterprise applications, click New Application,  and search for Microsoft Entra SAML Toolkit. Select Microsoft Entra SAML Toolkit.

      2. Enter a display name for your new application, then click Create.

    1. Go to Overview> Getting Started >Assign users and groups and click Add user/groups.

      1. Add the groups that identify users with administrative access to the Imprivata Access Management portal.

        These users will have access to the Imprivata Access Management portal so they can update your organization's details, logo, and other settings related to the Imprivata Cloud.

        NOTE:

        This group can be the same as the Admin group you define for Patient Access administrators, or a separate group, if required.

      2. Add the groups that will have Admin, Manager, and View Only access to the Patient Access Admin Console.

        These users will have access to the Patient AccessAdmin Console.

    2. Go to Overview> Getting Started >Set up single sign-on.

    3. Select SAML as the single sign-on method.

    4. Click Upload metadata file and upload the Imprivata SP metadata XML file you created earlier.

    5. For Basic SAML Configuration, provide the Sign on URLhttps://access.imprivata.com.

      1. Click Save and close the Basic SAML Configuration applet.

Using the Microsoft Entra Admin center, copy and save the following Entra app values. You use the following values to finish the configuration in the Imprivata Access Management setup:

  • The URL endpoint of federation metadata.

  • The SAML name/value pair that identifies users with administrative access.

To locate the required values:

  1. In the Entra app, go to SAML certificates, and copy the App Federation Metadata URL.

  2. Copy the claim name for groups from Entra ID:

    1. Click Attributes & ClaimsEdit.

    1. In the Microsoft Entra admin center, copy the claim name for groups from Entra ID:

      1. Click Attributes & ClaimsEdit.

      2. Click Add a group claim if there isn’t one already. Click Save.

        • Select All groups for the Which groups associated with the user should be returned in the claim?

        BEST PRACTICE:

        Use Group ID as the source attribute.

        Copy the claim name for groups from Entra ID and save for use in a later step.

        Example

        http://schemas.microsoft.com/ws/2008/06/identity/claims/groups.

    2. Navigate to Manage > Groups > Search, and search for a group that should have administrator access to the Imprivata Access Management portal.

      Copy the Object ID for that group and save for use in the next step.

Using the Imprivata Access Management setup, finish configuring Entra ID as an IdP using the Entra app values saved previously.

To finish the configuration:

  1. Open the Imprivata Access Management setup, and go to the Identity Provider Connect screen.

  2. Enter the SAML IdP metadata URL of the Entra app, and click Continue.

  3. Paste the administrator group's claim name into SAML attribute name.

  4. Paste the administrator group's Object ID into SAML attribute value, and click Continue.

  5. Click Go to Access URL: access.imprivata.com to test the authentication workflow to access the Imprivata Access Management portal.

Accessing the Imprivata Access Management Portal

To access Imprivata Access Management Portal:

  1. At the login screen, enter an email address with the same domain you configured in the setup wizard, and click Continue.

    You will be redirected to your IdP's login screen.

  2. After authenticating with your IdP, you will be redirected to the Imprivata Access Management Portal.

  3. In the Imprivata Access Management section, the Patient Access panel is displayed. Click Launch to navigate to your Patient Access Admin Console.

Next Steps

Create roles and permissions in the Patient Access Admin Console. See Patient Access Roles and Permissions.