Configure Imprivata MDA Seamless Authentication to OpenID Connect-enabled Apps

Imprivata MDA adds seamless authentication to OpenID Connect (OIDC) apps that are configured for OIDC with Imprivata as the Identity Provider (IdP). Seamless authentication is sharing the Imprivata MDA user session with a third party app so that a user does not need to enter credentials for authentication to the third party app.

Imprivata MDA provides reliable SSO for OIDC-enabled apps in the following three scenarios:

  • Web app authentication in a web browser

  • Native app authentication through Custom Tab

  • Native app authentication through Web View

The feature consists of two parts: authentication and logout

  • Authentication is automatically enabled for mobile devices running Imprivata MDA if there is authenticated user in Imprivata MDA and the third party app supports OIDC authentication.

  • OIDC enabled app that seamlessly authenticated with the feature has three user sessions established at different levels. Complete logout from the app would mean closing all three user sessions.

Session level Logout method Logout trigger
OIDC enabled app user session App specific logout method: Imprivata MDA SDK integration, x-callback-url, Clear cache, Clear data, Force stop, MSAL Imprivata MDA user logout or user switch
Imprivata IdP user session Imprivata MDA triggers the session closing with a request to the Imprivata appliance during Imprivata MDA logout or user switch Imprivata MDA user logout or user switch
Imprivata MDA Imprivata MDA functionality Imprivata MDA user logout or user switch

Prerequisites

Take note of the following prerequisites:

  • Imprivata Web SSO with OpenID Connect configured.

  • Imprivata appliance must contain a Trusted CA signed SSL certificate.

  • An OIDC profile created for the third party app, deployed to the user.

    For more information on configuring Imprivata Web SSO with OpenID Connect and adding OIDC apps, see the Imprivata Enterprise Access Management online help system.

Limitations

Take note of the following limitations:

  • The feature is enabled only for authenticated users in Imprivata MDA. Guest and Admin users won't have the feature enabled, because in these modes, Imprivata MDA doesn't have an Imprivata Enterprise Access Management session to propagate to the IdP level.

Imprivata Appliance Configuration

Validate OpenID Connect integration settings on the Imprivata Admin Console:

Setting Required / Optional Imprivata Admin Console location
Imprivata Single Sign On is licensed Required Gear menu > License
Imprivata enterprise is provisioned and connected to the cloud Required Gear menu > Cloud connection
OpenID Connect applications are added and enabled in Imprivata Admin Console Required Applications > Single sign-on application profiles
OpenID Connect applications are deployed to selected set of users Required Applications > Single sign-on application profiles
Imprivata users are assigned to user policy enabled for Single Sign On Required Users > User policies

Cloud Connection

Imprivata Services will enter the Enterprise ID and one-time cloud provisioning code required to establish trust between your Imprivata enterprise and the Imprivata cloud:

  1. If you're not on the Cloud Connection page already: In the Imprivata Admin Console, click the gear icon > Cloud connection.

  2. Services will enter your Enterprise ID and cloud provisioning code. (The cloud provisioning code expires 5 minutes after it's generated. Generate a new code if 5 minutes has elapsed.)

  3. Click Establish trust.

    BEST PRACTICE:

    The cloud connection must be established by Imprivata Services.

IdP and RP Metadata

Imprivata Web SSO (IdP) and your OpenID Connect application, the Relying Party (RP), need metadata from each other. Open both consoles at the same time and import this metadata as follows:

  1. In your RP's administrator console, copy the RP client credentials and Redirect URIs.

  2. In the Imprivata Admin Console, go to the gear iconWeb App Login Configuration.

    Enter the RP client credentials and Redirect URIs.

  3. Click View and copy Imprivata (IdP) OpenID Connect metadata.

    • Provide the Client ID and Client Secret values on the RP's admin console.

    • Provide the endpoint URL metadata to the RP. This can be entered manually, or by providing the IdP metadata URL.

  4. Save your work.

Add an OIDC Application

Only the superadmin role is able to configure Web SSO application profiles:

  1. In the Imprivata Admin Console, go to Applications > Single sign-on application profiles.

    All Single sign-on application profiles, including Mobile app profiles and OpenID Connect application profiles, are all managed from this page.

  2. Click Add App Profile Web application using OpenID Connect. The Add application using OpenID Connect page opens.

  3. Give the application profile a name. This name is only visible to administrators.

    Give the application a user-friendly name. This is the application name your users will see when they log in.

  4. Enter Redirect URIs from the RP. If you don't have them yet, leave this window open and go to the RP's admin console in another window.

  5. Optional: Claims — Review the default claims, and configure any custom claims required for your integration.

  6. Generate Client credentials to provide to the RP.

  7. Generate IdP Metadata to provide to the RP.

  8. Click Save.