Configure Locker SSO to OpenID Connect-enabled Apps
Applies to iOS devices only.
Imprivata Mobile Access Management adds authentication to OpenID Connect (OIDC) apps that are configured for OIDC with Imprivata as the Identity Provider (IdP). Authentication is sharing the MAM user session with a third party app so that a user does not need to enter credentials for authentication to the third party app.
Prerequisites
Supported in MAM 7.3 UAT.
Take note of the following prerequisites:
-
Imprivata Locker for iOS - 4.3 or later
-
Password Autofill and SSO setting is enabled in MAM console (Admin > Check Out > Password Autofill and SSO).
-
Integration with Imprivata Enterprise Access Management.
The following EAM dependencies for OIDC integration must be completed:
-
Imprivata appliances are running a maintained release of EAM. For more information, see the EAM Supported Components.
-
Imprivata licensed for Single Sign On.
-
OpenID Connect applications are added to your Imprivata enterprise.
-
OpenID Connect applications are deployed to selected set of users.
-
Imprivata users are assigned to a user policy enabled for Single Sign On.
-
Validate OpenID Connect integration settings in the Imprivata Admin Console:
| Setting | Required / Optional | Imprivata Admin Console location |
|---|---|---|
| Appliance is running a maintained release of Imprivata Enterprise Access Management | Required | Help menu |
| Imprivata Single Sign On is licensed | Required | Gear menu > License |
| Imprivata enterprise is provisioned and connected to the cloud | Required | Gear menu > Cloud connection |
| OpenID Connect applications are added and enabled in Imprivata Admin Console | Required | Applications > Single sign-on application profiles |
| OpenID Connect applications are deployed to selected set of users | Required | Applications > Single sign-on application profiles |
| Imprivata users are assigned to user policy enabled for Single Sign On | Required | Users > User policies |
Imprivata Services will enter the Enterprise ID and one-time cloud provisioning code required to establish trust between your Imprivata enterprise and the Imprivata cloud:
-
In the Imprivata Admin Console, click the gear icon > Cloud connection.
-
Services will enter your Enterprise ID and cloud provisioning code. (The cloud provisioning code expires 5 minutes after it's generated. Generate a new code if 5 minutes has elapsed.)
-
Click Establish trust.
IMPORTANT:The cloud connection must be established by Imprivata Services.
Imprivata SSO (IdP) and your OpenID Connect application, the Relying Party (RP), need metadata from each other.
Open both consoles at the same time and import this metadata as follows:
-
In your RP's administrator console, copy the RP client credentials and Redirect URIs.
-
In the Imprivata Admin Console, go to the gear icon > Web App Login Configuration.
Enter the RP client credentials and Redirect URIs.
-
Click View and copy Imprivata (IdP) OpenID Connect metadata.
-
Provide the Client ID and Client Secret values on the RP's admin console.
-
Provide the endpoint URL metadata to the RP. This can be entered manually, or by providing the IdP metadata URL.
-
-
Save your work.
In the Imprivata Admin Console, only the superadmin role is able to configure SSO application profiles:
-
In the Imprivata Admin Console, go to Applications > Single sign-on application profiles.
All Single sign-on application profiles, including Mobile app profiles and OpenID Connect application profiles, are managed from this page.
-
Click Add App Profile > Web application using OpenID Connect. The Add application using OpenID Connect page opens.
-
Give the application profile a name. This name is only visible to administrators.
Give the application a user-friendly name. This is the application name your users will see when they log in.
-
Enter Redirect URIs from the RP. If you don't have them yet, leave this window open and go to the RP's admin console in another window.
-
Optional: Claims — Review the default claims, and configure any custom claims required for your integration.
-
Generate Client credentials to provide to the RP.
-
Generate IdP Metadata to provide to the RP.
-
Click Save.
Configure several settings in MAM to support the integration.
-
In the MAM console, navigate to Admin > Check Out.
-
Switch the Password Autofill and SSO setting to ON.
-
Switch the Require a second factor to unlock the device setting to ON.
This setting controls whether users must provide a second factor in the Locker app during checkout to unlock the device.
Beginning with MAM 7.3 UAT and Locker 4.3, using Locker SSO is the preferred method for authenticating to Epic Rover.
Contact your Epic TS for assistance with configuring your Epic environment with OpenID Connect.