Spine Combined Workflow — Virtual Smartcards

Support for Spine applications reduces the time users must wait when re–authenticating to those applications during their shift.

After users successfully completed two-factor authentication at login, Imprivata OneSign manages subsequent Spine authentication requests. Delegating the requests to Imprivata OneSign removes the delays associated with network factors, such as load and latency, that can exist between your enterprise and the Spine.

Virtual smartcards allow for improved remote and mobile workflows with the Spine while maintaining the security delivered by Imprivata OneSign and Spine Combined Workflow.

The virtual smartcard is designed to work with the NHS Identity agent and the Care Identity Service to minimize re-training on new systems. People assigned as Registration Authorities create user smartcards the way they always have, but now with options for physical or virtual smartcards.

For complete details of physical smartcards, see Spine Combined Workflow — Physical Smartcards

NOTE: An Imprivata OneSign Spine Combined Workflow license, as well as an Authentication Management license, are required for this feature. The Spine Combined Workflow is licensed on a per–user basis. Every user that is assigned to a user policy that is configured for Spine support requires a license.

  • The NHS Digital Identity Agent version 2.0 or later must installed on all endpoint computers that require access to Spine applications using Internet Explorer

  • The NHS Digital Identity Agent version 2.0 and NHS Credential Manager 1.1.0.0 or later must installed on all endpoint computers that require access to Spine applications using Microsoft Edge or Google Chrome

  • NHS guidelines require two–factor authentication. Verify that your Imprivata OneSign user policy is configured accordingly. For more information on configuring two–factor authentication, see Configuring Authentication Methods in User Policies.

  • Proximity card or Fingerprint readers (if used for two-factor authentication)

  • Two smartcard readers attached to workstations used for generating virtual smartcards

  • Microsoft Windows workstations with the Imprivata agent

  • For using Virtual Smartcards:

    • Internet Explorer 11, Microsoft Edge or Google Chrome requires OneSign Agent 7.5 or later

  • For generating virtual Smartcards:

    • Imprivata agent 7.5 or later for Internet Explorer 11

    • Imprivata agent 7.10 or later for Microsoft Edge or Google Chrome

    • Ensure that computers that will be used by Registration Authority users (RA) have only Oberthur middleware. Gemalto middleware must be removed.

  • Access to the NHS Care Identity Service

  • NHS Care Identity Service URLs

  • VDI support for Spine Combined Workflow on Windows endpoints and supported Imprivata ProveID Embedded thin and zero clients

  • VDI support for Spine Combined Workflows using Chromebook. For information on configuring Chrome, see "Support for Applications that run in Google Chrome".

Configure Connection to Spine Security Broker

In the Imprivata Admin Consolegear iconSettingsSpine Combined Workflow, enter the URLs for the NHS Digital Identity Agent settings.

The environment configured here must match the environment that the Identity Agent is using (production, integration, development). To confirm which environment the Identity Agent is using, view these registry keys:

  • 32 bit — HKEY_LOCAL_MACHINE\SOFTWARE\HSCIC\Identity Agent

  • 64 bit — HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\HSCIC\Identity Agent

The value ActivatePOSTURL has the proper prefix for the URLs.

NOTE:

The Imprivata appliance uses these URLs to create an outbound connection to the Spine Security Broker from within your datacenter. Make sure your enterprise firewall allows this. For complete details, see About Outbound Communications.

NHS SSB Certificates

Valid NHS SSB certificates are installed by default, and do not need replacing until expiration.

  1. 1. To update expiring certificate(s), download replacement SSB certificate(s) from the NHS Digital website.

  2. In the Imprivata Admin Console, go to the gear icon > Settings page > Spine Combined Workflow section.

    All existing certificates are listed on this page, with the expiration date and issuer. You can add and remove certificates here.

    Upload the replacement SSB certificate. The file extension must be .cer or .crt

Expiring Certificates

Imprivata sends alerts when certificates are due to expire within 30 days.

You will see an alert on the Imprivata Admin Console, and if your enterprise is configured for email notifications, email notification will be sent as well.

Configure an Imprivata user policy dedicated to Spine Combined Workflow users:

  1. In this user policy > AuthenticationSpine Combined Workflow, select Allow persistence of Spine Combined Workflow session.

  2. Specify a grace period of up to 12 hours.

    After users authenticate for the first time, the grace period duration determines how long the appliance manages subsequent Spine authentication requests.

    BEST PRACTICE: Specify an Imprivata OneSign grace period that corresponds to the typical length of the shift, and use this value to control when users must re-authenticate to the Spine. When the Spine Combined Workflow is enabled, the Imprivata OneSign grace period must fall within the duration of the grace period that the Spine Security Broker specifies.

  3. Click Save.

Configuring Registration Authority Users

An Registration Authority user (RA) does not need administrator access to the Imprivata Admin Console — by design, RAs are distinct from Imprivata OneSign administrators, and can associate smartcards with Imprivata OneSign users via the Imprivata agent menu.

RAs can be enabled for Spine Combined Workflow and use it for application authentication as any other user would.

When generating physical or virtual smartcards, RAs can use Spine Combined Workflow to access the Care Identity Service.

When generating physical or virtual smartcards, the RA’s physical smartcard card must be in the smartcard reader.

CAUTION:

Registration Authority users should not assign virtual smartcards to other RAs, or to themselves. No RA should be issued a virtual smartcard.

To enable a user as an RA, they must be added to a User Policy enabled for Spine Combined Workflow already:

  1. In the Imprivata Admin Console, go to UsersUsers, and select a user.

  2. In the section Spine Combined Workflow, select User is a Registration Authority.

  3. Click Save.

Issuing Virtual Smartcards

Registration Authority users (RAs) can generate both physical and virtual smartcards in the Care Identity Service when using Imprivata OneSign Spine Combined Workflow. The workstation used for generating virtual smartcards must have the Imprivata agent installed, and two smartcard readers attached to it. To generate a smartcard, the RA’s smartcard must be present in one of the smartcard readers. This gives the necessary permissions to generate a user smartcard.

Generate a Physical Smartcard

To generate a physical smartcard, the RA follows the existing and established steps to generate a physical smartcard.

Smartcard Reader As Printer

When using smartcard printers as the second reader, add a registry key that tells Imprivata OneSign to ignore this device as a reader:

  • 64 bit — HKEY_LOCAL_MACHINE\SOFTWARE\SSOProvider\DeviceManager\Devices\PKISC

  • 32 bit — HKEY_LOCAL_MACHINE\SOFTWARE\SSOProvider\DeviceManager\Devices\PKISC

For smartcard readers recognized by ScardAPI (Proxcard):

  • 64 bit — HKEY_LOCAL_MACHINE\SOFTWARE\SSOProvider\DeviceManager\Devices\Prox\Providers\ScardAPI

  • 32 bit — HKEY_LOCAL_MACHINE\SOFTWARE\SSOProvider\DeviceManager\Devices\Prox\Providers\ScardAPI

  • Key Name — SkipReaders

  • Key Type — REG_MULTI_SZ

NOTE:

Note: This is a multistring Key Value: Reader Name as it appears recognized in the traces by OneSign. OMNIKEY 3x21

Generate a Virtual Smartcard

To generate a virtual smartcard, the RA's smartcard is in one reader, and the second reader/printer must be empty. In the Care Identity Service Issue Smartcard popup, select continue without smartcard print. The virtual smartcard will be generated on your Imprivata OneSign appliance. In the next section, This virtual smartcard generated for a CIS user will be enrolled for them with their Imprivata OneSign user identity.

Note: Before you generate a virtual smartcard, ensure that the RA computer has only Oberthur middleware. Gemalto middleware must be removed.

Gemalto middleware causes the vSC connection to fail. Removing it is safe since it was used to generate version 4/5/6 smartcards which are now obsolete.

Enrolling Virtual Smartcards

After a virtual smartcard has been generated in the Care Identity Service, it will be held securely on your Imprivata OneSign appliance, but it is not enrolled with a Imprivata OneSign user yet. A Registration Authority user (RA) must enroll it with an Imprivata OneSign user:

  1. On the Imprivata agent menu, select Manage Virtual Smartcards

  2. Search for and select the user, then click Assign VSC.

  3. From the Select virtual smartcard popup, find the unassigned virtual smartcard with the Care Identity Service username and serial number that matches the virtual smartcard you generated earlier.

  4. Click Select.

Self-Service Virtual Smartcard Renewal

Users can renew their own virtual smartcards from the existing NHS Care Identity Service site.

When a virtual smartcard is expiring, an Imprivata popup warning appears at workstation login, showing the remaining effective days. Users must renew the smartcard before it expires in order to use the self-service feature. After expiration, users must go to the NHS Registration Authority.

To renew a virtual smartcard:

  1. Ensure that no smartcard is inserted into the smartcard reader, if present.

  2. Log in to the NHS Care Identity Service site, and click on your username at the top of the window.

  3. Scroll down to the Smartcard Details table, select the smartcard you want to renew and click Service. If there are multiple entries, use the expiration date to identify the correct entry.

  4. In the SmartCard Service dialog , select the renew service radio button and click Continue.

  5. Enter any character or characters in the"'enter passcode" field, and click Confirm.

  6. The dialog displays renewal progress, and an Imprivata popup success message appears.

Spine Authentication Workflow with a Virtual Smartcard

  1. At the beginning of the shift, the user authenticates to Imprivata OneSign using two–factor authentication.

  2. The user opens a Spine application.

    Imprivata OneSign contacts NHS Spine and authenticates the user's virtual smartcard on their behalf. The virtual smartcard authentication is transparent to the user: the Spine application opens immediately.

Changing Roles

User with virtual smartcards can change roles without closing their Spine session and re-authenticating. These users can go to the Imprivata agent menu and select Set Spine Role to:

  • View their current Role

  • Select a new default Role for future sessions

  • Change Roles; after they change roles on this Imprivata agent menu, the user may have to restart an open Spine application for the change to take effect.

This feature is not available when using physical smart cards. Users authenticating with physical smart cards must close their Spine session and re-authenticate to change roles.