Configure Locker SSO to OpenID Connect-enabled Apps

Step 1: Imprivata Appliance Configuration

Validate OpenID Connect integration settings in the Imprivata Admin Console:

Setting	Required / Optional	Imprivata Admin Console location
Appliance is running a maintained release of Imprivata Enterprise Access Management	Required	Help menu
Imprivata Single Sign On is licensed	Required	Gear menu > License
Imprivata enterprise is provisioned and connected to the cloud	Required	Gear menu > Cloud connection
OpenID Connect applications are added and enabled in Imprivata Admin Console	Required	Applications > Single sign-on application profiles
OpenID Connect applications are deployed to selected set of users	Required	Applications > Single sign-on application profiles
Imprivata users are assigned to user policy enabled for Single Sign On	Required	Users > User policies

Step 2: Imprivata Cloud Connection

Imprivata Services will enter the Enterprise ID and one-time cloud provisioning code required to establish trust between your Imprivata enterprise and the Imprivata cloud:

In the Imprivata Admin Console, click the gear icon > Cloud connection.
Services will enter your Enterprise ID and cloud provisioning code. (The cloud provisioning code expires 5 minutes after it's generated. Generate a new code if 5 minutes has elapsed.)
Click Establish trust.

IMPORTANT:
The cloud connection must be established by Imprivata Services.

Step 3: Exchange IdP and RP Metadata

Imprivata SSO (IdP) and your OpenID Connect application, the Relying Party (RP), need metadata from each other.

Open both consoles at the same time and import this metadata as follows:

In your RP's administrator console, copy the RP client credentials and Redirect URIs.
In the Imprivata Admin Console, go to the gear icon > Web App Login Configuration.

Enter the RP client credentials and Redirect URIs.
Click View and copy Imprivata (IdP) OpenID Connect metadata.
- Provide the Client ID and Client Secret values on the RP's admin console.
- Provide the endpoint URL metadata to the RP. This can be entered manually, or by providing the IdP metadata URL.
Save your work.

Step 4: Add an OIDC Application

In the Imprivata Admin Console, only the superadmin role is able to configure SSO application profiles:

In the Imprivata Admin Console, go to Applications > Single sign-on application profiles.

All Single sign-on application profiles, including Mobile app profiles and OpenID Connect application profiles, are managed from this page.
Click Add App Profile > Web application using OpenID Connect. The Add application using OpenID Connect page opens.
Give the application profile a name. This name is only visible to administrators.

Give the application a user-friendly name. This is the application name your users will see when they log in.
Enter Redirect URIs from the RP. If you don't have them yet, leave this window open and go to the RP's admin console in another window.
Optional: Claims — Review the default claims, and configure any custom claims required for your integration.
Generate Client credentials to provide to the RP.
Generate IdP Metadata to provide to the RP.
Click Save.

Step 5: Configure MAM

Configure several settings in MAM to support the integration.

In the MAM console, navigate to Admin > Check Out.
Switch the Password Autofill and SSO setting to ON.
Switch the Require a second factor to unlock the device setting to ON.

This setting controls whether users must provide a second factor in the Locker app during checkout to unlock the device.

Step 6: Conditional - Configure Epic Rover

NOTE:

Beginning with MAM 7.3 UAT and Locker 4.3, using Locker SSO is the preferred method for authenticating to Epic Rover.

Contact your Epic TS for assistance with configuring your Epic environment with OpenID Connect.

Configure Locker SSO to OpenID Connect-enabled Apps

Prerequisites