Deploying Imprivata OneSign to Users

It is a good practice to run a pilot deployment before deploying to all users. Imprivata OneSign integrates a number of disparate systems and administrative procedures. A pilot should take anywhere from two weeks to three months depending on the complexity of your deployment.

An effective pilot includes deploying to a representative sample of the user population of 10 to 50 users. The pilot users should be carefully prepared so they know what is not working correctly and are not distracted by what is not working the old familiar way. The population of pilot users should use all authentication methods, including remote logins if you will support them. If you have the Single Sign-On licensed feature, test all applications on a variety of desktops.

During the pilot deployment, Administrators should practice the whole range of anticipated administrative activities from developing and testing reports and notifications, to scheduled user directory synchronizations and automated database backups and a database restoration operation.

You deploy the Imprivata agent to computers from the Imprivata Admin ConsoleDeploy Agents page (Computers menu > Deploy agents) as described in Deploying the Imprivata Agent.

The Deploy agents page has two sections:

• Deployment Status displays how many of each type of agent are deployed, and provides a link to the Agent Deployment report.

• Deployment Procedure gives you the following methods of deploying the Imprivata agent to users:

• Deploying the Imprivata Agent to Individual Users for Self-Installation

• Deploy the Imprivata Agent via MSI Push

• Deploy the Imprivata Agent via Active Directory Group Policy

Imprivata OneSign provides a comprehensive set of tools for securing unattended workstations in ways that fit seamlessly with your users’ needs.

See Configuring Walk-Away Security for Unattended Workstations

There are a few points at which users may be required to take action:

• The Imprivata agent must be installed. The types of Imprivata agents are described in About the Imprivata Agent.

• If auto-update is configured, then when an update is available for the agent, the user sees a message announcing the update and asking for permission to install it. ProveID Embedded thin clients require no action from end users — the Imprivata agent is updated automatically.

• If you use finger biometrics, proximity card, or some forms of ID token authentication, then users enroll to Imprivata OneSign with those credentials. This is not required if users authenticate only by password or smart card, or for users using Digipass tokens if your Imprivata OneSign license includes the VASCO OTP Token Authentication licensed feature. Read about authentication options in Imprivata OneSign Authentication Methods.

The end-user experience of Imprivata OneSign SSO is nearly transparent. The user authenticates to each enabled application one last time as Imprivata OneSign captures the user’s credentials, and then Imprivata OneSign handles all subsequent authentications to those applications.

There are a few points at which users may be required to take action:

• The Imprivata agent must be installed. You can distribute it or you can allow users to install it themselves via a web-based download.

• You can configure application profiles in one of two ways:

  • Submit credentials. The user simply launches the application to gain access to it; the credential screen is filled in and submitted automatically.

  • Let the authentication screen remain visible pending the user’s decision to authenticate with the Imprivata OneSign-provided credentials. In this case, the credential screen is filled in and waits for the user's action.

• Users who have multiple accounts for a single application are prompted to select the login account to use when accessing the application.

• When an update is available for the Imprivata agent, the user sees a message announcing the update and asking for permission to install it.

The Imprivata OneSign Self-Services feature enables users to retrieve forgotten passwords if they can correctly answer a few security questions.

• Enrolling for Password Self-Services/Updating user profile: Before a user can use Imprivata OneSign self-services, the user must enroll. Users get an opportunity to enroll when they log into OneSign, if they have not yet enrolled.

• Resetting your primary authentication password: This is for users who want to reset their network password.

• Reviewing credentials for an application (Password Self-Services option only): Users can get their credentials for Imprivata OneSign SSO-enabled applications.

• Enable or disable the multiple accounts option for individual applications (Password Self-Services option only): The Multiple Accounts feature is for users who are enabled to have multiple sets of credentials (accounts) for a OneSign-managed application.

• Registering for an Imprivata Directory account: A directory of users who do not have a network account. The account must be approved and enabled by the Imprivata Admin Console.

To customize the Self-Services with your corporate logo, see Branding Imprivata OneSign Self–Service.

The Getting Started feature helps new users get accustomed to Imprivata OneSign. This feature does not require the agent to be running. Users can access the Getting Started feature from Start > Programs > Imprivata OneSign or from the Imprivata agent menu.

From the Getting Started home page, users can learn about Imprivata OneSign and the Imprivata agent, including:

• How to use the Imprivata agent menu to access Imprivata OneSign options

• How single sign-on works

• How to use the Manage Passwords link to manage single sign-on credentials for individual applications

• How to suspend single sign-on, for instance to access an application using different credentials

You’ve Got Single Sign-On

By default, the new splash screen is shown to all users. You can disable the greeting for different user policies.

To activate or deactivate the greeting for all users with a specific user policy, select or deselect the Show greeting... option at the top of the user policy.