Spine Combined Workflow — Physical Smartcards

NHS Digital requirements:

• The NHS Digital Identity Agent and NHS Credential Manager must be installed on all endpoint computers that require access to Spine applications using Microsoft Edge or Google Chrome. Versions depend on the version of OneSign in your environment as detailed here:

• NHS guidelines require two–factor authentication. Verify that your Enterprise Access Management user policy is configured accordingly. For more information on configuring two–factor authentication, see Configuring Authentication Methods in User Policies.

On all endpoint computers, verify that the NHS Digital Identity Agent is installed to the default location. The default installation location for the NHS Digital Identify Agent is:

• 32–bit — Program Files\HSCIC\Identity Agent

• 64–bit — Program Files (x86)\HSCIC\Identity Agent

If the NHS Digital Identity Agent is not installed to the default location, complete the following on all endpoint computers:

1. Add the IAFilename value to the ISXAgent registry key. The registry key is installed with the Imprivata agent and is located at:

   • HKEY_LOCAL_MACHINE\SOFTWARE\SSOProvider\ISXAgent

2. Configure IAFilename with a Data Type of REG_SZ and set the value to the fully qualified path of the NHS Digital Identity Agent executable.

The following steps detail the authentication workflow when the user policy is configured for Spine support:

1. At the beginning of the shift, the user authenticates to Enterprise Access Management on endpoint 1 using two–factor authentication.

2. The user inserts their Spine card into the reader and opens a Spine application. The user is prompted for a passcode.

3. The user enters the passcode and is authenticated to the Spine.

   NOTE: If the user has multiple Spine roles, they are prompted to select one.

4. The user closes the Spine application and removes their Spine card.

5. The user returns to endpoint 1 and opens a Spine application. The user is not required to insert their Spine card and is not prompted for a passcode.

   The time the user waits to be re–authenticated is reduced. During the Enterprise Access Management grace period, the appliance manages the authentication request. This removes the delays associated with network factors, such as load and latency, that can exist between your enterprise and the Spine.

6. The user logs out of endpoint 1.

7. During the same shift, the user authenticates to Enterprise Access Management on endpoint 2 using two–factor authentication and opens a Spine application. Although the user has moved to a different endpoint, inserting a Spine card and entering a passcode is not required.

   The appliance continues to manage the authentication request during the grace period.

8. The user determines that a different Spine role is required.

9. The user clicks the Imprivata agent icon in the notification area, and then clicks Restart Spine session.

10. While re-authenticating to the Spine, the user chooses the required role.

Configuring Spine support requires that you:

• Enable the user policy for Spine applications.
• Specify a grace period of up to 12 hours. After users authenticate for the first–time, the grace period duration determines how long the appliance manages subsequent Spine authentication requests.

To configure Spine support:

1. From the Imprivata Admin Console, open the user policy you want to edit or create a new user policy (Users menu > User policies).

2. On the Authentication tab, go to the Spine Combined Workflow section.

3. Select Allow persistence of Spine Combined Workflow session and specify the Grace period for Spine persisted data.

4. Save and assign the user policy.

If your environment uses the Imprivata shared–kiosk workstation (type 2) agent, Enterprise Access Management closes all known Spine applications on user switch:

• A known Spine application is one that directly uses the Identity Agent ticket API to establish the connection with the NHS Digital Identity Agent.

• An unknown Spine application is one that indirectly uses the Identity Agent ticket API to establish the connection. For example, a web browser–based application may use a program file, such as jp2launcher.exe, to establish the connection.

A procedure code extension object is required to close unknown Spine applications on user switch. For more information on procedure codes, see Extension Objects.

Delete a Spine session when it should no longer be associated with the user. For example — a user has reported a Spine card lost or stolen.

To delete a Spine session:

1. In the Imprivata Admin Console, go to the Users menu > Users page.

2. Search for the required user and click the user name to view their Imprivata account information.

3. Go to the Spine Combined Workflow associated tickets section and click Delete Ticket. The session is immediately ended.

Users with multiple Spine roles can switch from their current role to another by restarting the Spine session. Restarting the session prompts users to re-authenticate, during which, a new role is selected. Re-authenticating results in a new Spine ticket:

• The ticket from the current session remains valid, until replaced by the new ticket.

• Once replaced, the Enterprise Access Management grace period resets.

To restart the session, click the Imprivata agent icon in the notification area, and then click Restart Spine session.

This functionality is intended for administrators only. Unlike restarting, resetting a Spine session deletes the Spine ticket and ends the current session.

After a session has been reset, users must re-authenticate to the Spine.

To reset the Spine session, Ctrl + click the Imprivata agent icon in the notification area, and then click Reset Spine session.