Installing and Configuring Imprivata OneSign

Before deploying Imprivata OneSign to users, customize the default values to meet the needs of your organization.

The Imprivata enterprise is a group of Imprivata appliances that synchronize their databases and are configured to work together to service a collection of endpoint computers. All appliances in an enterprise share the same users, policies, and enrollments.

Your enterprise is automatically created when the first appliance is configured. See Establishing the Imprivata Enterprise

After you have added the first appliance to the enterprise and configured enterprise settings, it is important to add a second appliance immediately. See Adding an Appliance to the Enterprise

Before you can deploy the Imprivata agent to users, you need to configure system properties and settings.

Review Your Licensed Features

Review the License page to be sure your current license includes all the licensed options that you expect. See Imprivata Licensed Features

Customize System Settings

Before rolling out Imprivata OneSign to your users, you should adjust the settings on the Settings page (Imprivata Admin Console > gear icon menu > Settings) to suit the needs of your enterprise, including:

Configure Reports and Notifications

Imprivata provides reporting and notification tools for auditing, performance monitoring, troubleshooting and other uses. Reports are available for Imprivata platform, Imprivata OneSign, and Imprivata Confirm ID actions. The reports you can run are determined by the licensed features you have. See Using Reporting Tools

In addition to running reports, you can arrange to be automatically notified of events by email (or you can have the notification posted to a URL or to the appliance system log). See Configuring Event Notifications

Customize Imprivata OneSign Extensions

Imprivata OneSign provides three extension objects and allows your own procedure codes to extend Imprivata OneSign functionality.

To create and enable Imprivata OneSign extension objects, see Imprivata OneSign Extension Objects.

(Optional) Authenticate Application User Identity with Imprivata OneSign ProveID

Imprivata OneSign ProveID Client enables you to map specially configured applications with Imprivata OneSign’s ProveID user authentication feature.

The API Access page in the Imprivata Admin Console (gear icon menu > API Access) is also where you enable the ProveID Web API and any third-party Imprivata OneSign-enabled products that you will use in your enterprise.

The Imprivata user database is a mirror of the user directories in all domains from which you create user accounts. When you first install Imprivata, there are no user accounts in place.

To set up the Imprivata user database, you synchronize with the user directories on which your users’ primary accounts are located. To synchronize the database, see Managing Domains (Directories).

Configuring Imprivata OneSign to Recognize a Secondary Domain Controller

If you use SSL, then it is a good practice at this point to enable Imprivata to recognize any secondary and tertiary domain controllers you have. To do this, follow the same procedure that you use to add a user directory domain (see Managing Domains (Directories)), but use the information for the secondary and/or tertiary domain controller. You can stop right after accepting the certificate. There is no need to establish the domain controller as a user domain; this is simply an easy way to get the domain certificate.

Administrator roles are a powerful tool for delegating Imprivata administration operations throughout an enterprise. Delegated administration employs three concepts: administrative operations, scope of delegation, and inheritance of these two properties.

Administrators are configured on the Administrator roles page (Imprivata Admin Console > gear icon > Administrator roles). See Administrator Roles (Delegated Administration)

Imprivata virtual desktop access enables you to integrate your Citrix or VMware virtual desktops with Imprivata OneSign or Imprivata Confirm ID.

To configure the Imprivata virtual desktop infrastructure that applies to your organization, see Imprivata Virtual Desktop Access.

Imprivata can help you manage the unique security and user convenience challenges posed by shared workstation environments. See Setting Up Multi-User Workstations

If you will be using Imprivata OneSign SSO with applications served from a Citrix server or from a Microsoft Terminal Server, then install the Imprivata Citrix agent on the application server as described in Distribute the Imprivata Agent to Users’ Computers.

You can also set up Citrix Roaming and Citrix Fast User Switching as described in Creating and Managing Computer Policies.

You should edit the default user policy and create more policies to suit the needs of all your users. You create user policies based on the needs of your organization, and then assign the policies to individual users.

See Creating and Managing User Policies

NOTE: If you have a Imprivata Confirm ID license, then you need to create and assign user policies specifically for Imprivata Confirm ID signing policies. See Creating and Managing User Policies

You should edit the default computer policy and create more policies as needed to suit the security and other requirements of the computers in your organization.

You create computer policies based on the needs of your organization, and then assign the policies to individual computers.

Computer policies control:

  • Agent settings

  • Shared workstation settings

  • Citrix or terminal server settings

  • Fingerprint identification settings

  • Proximity Card settings

  • Imprivata OneSignextension objects

  • User Policy Override settings

See Creating and Managing Computer Policies

If your users authenticate to Imprivata using an ID token, then you need to configure the settings relevant to the type of ID tokens used.

Imprivata OneSign supports one-time password (OTP) ID token authentication with:

  • RSA ID® tokens with RSA Authentication Manager®.

  • Secure Computing SafeWord® tokens with PremierAccess® and RemoteAccess™ servers.

  • External RADIUS hosts, including PhoneFactor. See Configuring External OTP Tokens

  • VASCO Digipass tokens using the internal VASCO VACMAN server described in Managing VASCO OTP Tokens.

You assign and revoke ID token authentication and all other authentication-related settings through the user policies that you assign to each user.

Configuring the Imprivata Server to Work with an External ID Token Server

ID token-enabled users authenticating to Imprivata use their domain usernames instead of their ID token system usernames (these may be the same values). In all other ways Imprivata makes no changes to the user experience.

To use ID tokens with Imprivata, configure Imprivata to recognize the ID token server, and the ID token server must recognize the Imprivata appliances. This is not necessary if you are using Digipass tokens with the VASCO OTP Token Authentication licensed feature.

To configure the Imprivata server to work with an ID token server:

  1. Configure the Imprivata server to recognize the ID token system

  2. Configure the ID token server to recognize the Imprivata server

See Configuring External OTP Tokens for complete details

Using VASCO Digipass Tokens

Imprivata-integrated support for VASCO® Digipass® tokens includes a suite of management tools for Digipass tokens described in Managing VASCO OTP Tokens.

Monitoring and Reporting ID Token Authentications

You can get real-time notifications of a variety of authentication events, including:

  • Enrollment for OTP tokens

  • Policy Enforced in Proxy to RADIUS

  • Login Failure to RADIUS Host

You can run reports on OTP token data, including:

  • Login activity

  • User lockouts

  • Enrollment

  • User activity

  • Administrator activity

  • RADIUS activity

Notifications are detailed in Configuring Event Notifications and reports are detailed in Using Reporting Tools

When the user logs into Windows with his username and password, Imprivata ID sends a push notification to his device. He accepts and is granted access.

The user can be prompted to download Imprivata ID and enroll before and/or after the desktop opens.

The user must have a supported device and the Imprivata ID app installed; no additional hardware is required at the endpoint computer to support this workflow.

For complete details, see Imprivata ID for Windows Access

Configuring the Imprivata Server to Work with an External ID Token Server

Imprivata OneSign supports a variety of authentication methods through user policies.

Most authentication methods require some configuration. To configure Imprivata OneSign for use with all authentication methods, including the VASCO integration option, see Configuring Authentication Methods in User Policies.

Fingerprint Identification is an optional licensed feature. Finger biometric verification matches a scanned fingerprint against the records for the individual user. Easy-to-use Fingerprint Identification identifies the user by comparing the fingerprint to all other fingerprint records. Upon unique identification, the user is authenticated as well.

If you have the Fingerprint Identification license, you configure it in computer policies. Fingerprint Identification is an enterprise-wide setting; you cannot get the fingerprint identification licensed feature for a single Imprivata site.

Fingerprint Identification configuration is detailed in Configuring Fingerprint Identification in Imprivata OneSign, and authentication information is detailed in Configuring Imprivata OneSign Fingerprint Verification.

When you complete the steps in the section above, Imprivata OneSign is ready to be deployed. See Deploying Imprivata OneSign to Users.