Set Up Enterprise
Set up your enterprise for individual identity proofing with DigiCert.
If all of your clinicians will be identity proofed within your organization with Enrollment Supervisors, you can skip this section. See Institutional Identity Proofing.
CAUTION — Institutions with no DEA Number: For organizations with no institutional DEA number, a Certificate Authority (CA) such as DigiCert must perform identity proofing and issue certificates to your providers for DEA-regulated signing workflows. Credentials tied to a user's identity proofing must be used for DEA-regulated signing workflows.
Institutions with a DEA Number: You may perform identity proofing within your organization with Enrollment Supervisors, or you have the option to use a CA to perform identity proofing.
SMTP Connection
An SMTP server must be specified to send email notifications to administrators and end users:
-
In the Imprivata Admin Console, open the gear icon menu, and click Settings.
-
In the Email configuration section, click Modify.
-
Type the IP address or FQDN of the mail server in the SMTP Server field.
-
(Optional) By default, the Imprivata appliance secures outgoing email using TLS.
Uncheck Use TLS to disable this functionality. If you choose to leave TLS enabled, consider the following:
-
Imprivata supports TLS versions up to 1.2, but does not enforce any specific version. How your environment is configured determines the required version.
-
Your SMTP server must support TLS, and additional configuration may be required. For more information, see you vendor specific documentation.
-
-
If required, type the credentials of an account that is authorized to send email through your server/mail relay in the SMTP Server Account Username and SMTP Server Account Password fields.
-
Type the sender address in the Email messages are from field.
- Click OK.
NOTE: The Test button only confirms that the connection can be made to the SMTP server. To test that an email can be sent and received, open the Users page. Select a user, click Notify, and select the type of notification to send as a test.
Outbound Communication
To enable individual identity proofing with DigiCert, your Imprivata appliances must be able to communicate outside your firewall.
| Port | Protocol | Direction | Host | Description |
|---|---|---|---|---|
| 443 | HTTPS | Outbound | api.digicert.com | DigiCert server required for Individual identity proofing |
| HTTP | Outbound | http://ocsp.digicert.com | DigiCert server required for revocation checking via the online certificate status protocol | |
| HTTP | Outbound | http://ocsptest.digicert.com |
Non-production DigiCert server for revocation checking via the online certificate status protocol. For test computers only. 1 |
|
| 443 | HTTPS | Outbound | www.digicert.com | DigiCert identity proofing: required to access the token URL in the enrollment utility. |
| 443 | HTTPS | Outbound | *.amazonaws.com | A connection to Amazon S3 is needed for the Imprivata appliance to update the DigiCert metadata (e.g. the client certificate). This is required for Individual identity proofing of new users. |
| 443 | HTTPS | Outbound | cloud.imprivata.com | Connection to the Imprivata Cloud, allows communication from users outside the firewall to Imprivata OneSign inside the firewall. |
1 Test computers in a non-production enterprise use a test DigiCert server for revocation checking. If communication to the test DigiCert host is blocked, the user may see an alert in the Admin Console that the DigiCert service is down. Functionality is not blocked; revocation checking will not occur.
For the complete list of remote communication sites required in an Imprivata enterprise,
Imprivata Cloud Connection
Your Imprivata enterprise must be connected to the Imprivata cloud so Imprivata can send your users an SMS text message or voice call during individual identity proofing.
Cloud Connection
Imprivata Services will enter the Enterprise ID and one-time cloud provisioning code required to establish trust between your Imprivata enterprise and the Imprivata cloud:
- If you're not on the Cloud Connection page already: In the Imprivata Admin Console, click the gear icon > Cloud connection.
- Services will enter your Enterprise ID and cloud provisioning code.
- Click Establish trust.
The cloud connection must be established by Imprivata Services.
Cloud Connection Status
You can review the status of your enterprise's connection to the Imprivata cloud at any time. Status notifications are displayed on the Imprivata Admin Console, and the cloud connection status of every appliance at every site is also available:
-
In the Imprivata Admin Console, go to the gear icon > Cloud connection.
-
Every appliance host is listed with its status. If there are problems with a connection, recommendations for resolving the problem are displayed here.
Active Directory Requirements
The following Active Directory (AD) attributes are required to be sent by Imprivata Confirm ID to enable identity proofing with DigiCert. Verify that the following attributes in AD are present and accurate for all providers who will be identity proofing with DigiCert:
- First Name
- Last Name
- Email address (the user must be able to receive a message at this address during identity proofing)
- Phone number (the user must be able to receive an SMS message or voice call at this number during identity proofing)
Verify that the provider's legal name is entered in the First Name and Last Name fields, and verify the email address field is accurate. Imprivata Confirm ID will automatically send these attributes to DigiCert to register the user for identity proofing.
You can also view, add, or edit these values on the User details page for each user on the Imprivata Admin Console.
For identity proofing security reasons, your users cannot add or edit their own name, email, or phone number.
Configure Telephone Numbers in Active Directory
Configure the homePhone and mobile telephone number attributes in AD.
For complete details on synchronizing your AD users with Imprivata,
-
Click Synchronize on the Users page. The Synchronize window opens.
-
Select the domain or file that holds the user records and click Next.
-
Select the users to be imported.
-
Click the Add button in the Extended User Attributes section. A three-field map opens.
-
In the Extended User Attribute Name field, enter homePhone.
-
In the Imprivata Meaning field, enter Phone (home).
The label that will appear in the Users list is automatically filled in with the Imprivata Meaning value, but you can make edits.
-
Click Add to add another.
-
In the Extended User Attribute Name field, enter mobile.
-
In the Imprivata Meaning field, enter Phone (mobile).
The label that will appear in the Users list is automatically filled in with the Imprivata Meaning value, but you can make edits.
- Click Save.
The text strings in the Extended User Attribute Name fields must exactly match the field names in AD or the extended user attributes will not be synchronized.
Phone Number Format
-
Specify a 10-digit US telephone number in any format.
-
The country code 1 is optional.
-
Imprivata Confirm ID will ignore any character that is not a digit (for example: hyphens, periods, parentheses).
-
Any telephone number that doesn't meet these criteria or is malformed in any way will be ignored. The provider will not be able to begin identity proofing until the number is corrected in AD or the Imprivata Admin Console.
-
If a provider's telephone number(s) are not present in AD, the provider will receive an error message. You can add or edit the phone number(s) on the User details page of the Imprivata Admin Console.
Browser and PDF Requirements
The Imprivata enrollment utility launches a browser window to complete individual identity proofing with DigiCert.
When a user chooses Declaration of Identity Verification (the "notary method"), the browser must be able to download a PDF, and the user's workstation must have the ability to open and print the DigiCert form, and later, the user must be able to scan the printout so it can be uploaded to DigiCert.
