Imprivata Web SSO — Second Factor Only

This integration allows Microsoft Entra ID to invoke Imprivata as an external second-factor provider during multi-factor authentication (MFA). When configured, Entra ID delegates the MFA challenge to Imprivata EAM, which validates the user’s second authentication factor and returns the result back to Entra ID.

How It Works

This integration enables Entra ID to delegate its MFA second step to Imprivata EAM, to support Entra ID’s external authentication model while preserving all existing workflow, auditing, and reporting capabilities.

When Entra ID requires a second factor, it redirects the user’s browser to Imprivata using an OIDC implicit flow containing a short-lived id_token_hint. Imprivata validates the token and launches the Second factor only authentication (SFO) workflow. The user completes a single authentication, and then Imprivata EAM returns a signed id_token to Entra ID, proving successful second-factor completion.

Although only the second factor is performed within Imprivata, the validated id_token_hint provides cryptographic proof that the first factor has already been completed, enabling the Web SSO session to be marked as "full" MFA.

A standard Imprivata EAM Web SSO session is also established, granting the user seamless access to other Imprivata-integrated applications during the session.

Before You Begin

CAUTION:

All users must be licensed for SSO/AM. For your administrator to be able to configure Web SSO as described here, the administrator must also be licensed for SSO/AM.

Cloud Connection

Imprivata Services will enter the Enterprise ID and one-time cloud provisioning code required to establish trust between your Imprivata enterprise and the Imprivata cloud:

  1. If you're not on the Cloud Connection page already: In the Imprivata Admin Console, click the gear icon > Cloud connection.
  2. Services will enter your Enterprise ID and cloud provisioning code.
  3. Click Establish trust.
BEST PRACTICE:

The cloud connection must be established by Imprivata Services.

Cloud Connection Status

You can review the status of your enterprise's connection to the Imprivata cloud at any time. Status notifications are displayed on the Imprivata Admin Console, and the cloud connection status of every appliance at every site is also available:

  1. In the Imprivata Admin Console, go to the gear iconCloud connection.

  2. Every appliance host is listed with its status. If there are problems with a connection, recommendations for resolving the problem are displayed here.

Configure Second Factor Only Authentication Workflow

  1. In the Imprivata Admin Console, go to UsersWorkflow Policy.

  2. On the Workflow policy page, go to Web SSO workflowsSecond factor only authentication.

  3. Select a second factor: OTP token, Imprivata ID, SMS Code, Email, or Face recognition.

  4. Click Done.

  5. Go to Associate user policies and select the policies that will require this workflow.

    IMPORTANT:

    Enroll users in the modalities required for this workflow.

  6. Click Save.

When the Microsoft External Authentication app profile is created below, it is automatically bound to this workflow.

Add Application Profile

Only the superadmin role is able to configure Web SSO application profiles:

  1. In the Imprivata Admin Console, go to Applications > Single sign-on application profiles.

    All Single sign-on application profiles, including conventional Imprivata APG profiles, Mobile app profiles, SAML application profiles, and OpenID Connect application profiles, are all managed from this page.

  2. Click Add App Profile Microsoft External Authentication. The Add application page opens.

  3. Give the application profile a name. This name is only visible to administrators.

    Give the application a user-friendly name. This is the application name your users will see when they log in.

  4. Entra Tenant ID — you can find this value in the EntraID admin center

  5. Redirect URI — Typically the Redirect URI will match the standard Entra ID EAM value.

  6. Client credentials — The Client ID is required when configuring Entra ID.

  7. Identity provider (IdP) metadata — The metadata is required when configuring Entra ID.

  8. Click Save.

Entra ID Configuration

Create an access policy, configure the application, and configure the external authentication method.

Policy Configuration

  1. Go to https://portal.azure.com and login with an admin account.

  2. Go to Conditional Access and create a new policy for an application login.

  3. Select Grant accessRequire multifactor authentication.

  4. Apply this policy to a test user.

Application Configuration

  1. Go to https://portal.azure.com and login with an admin account.

  2. Go to Entra ID domain configuration > Manage > Enterprise ApplicationsNew application

  3. On the Browse Entra App Gallery page, select Create your own application.

  4. On the Create your own application page, enter the name for your new app and click Create.

  5. Open your newly-created app and go to Permissions.

  6. Click Application registration.

  7. On the API permissions page, click Add a permission.

  8. On the Request API permissions page > Microsoft APIs, select Microsoft Graph.

  9. Select Delegated permissions, and add the following:

    • openid

    • profile

    • User.Read

  10. Click Grant admin consent and click Yes on the confirmation dialog box.

  11. Redirect URI — go to Authentication (Preview) > Redirect URI configuration and click Add Redirect URI.

  12. On the Select a platform to add redirect URI, select Web option.

  13. Enter the redirect URI value from the Microsoft External Authentication app profile you created earlier in the Imprivata Admin Console.

Authentication Method Configuration

  1. Go to https://portal.azure.com and login with an admin account.

  2. Go to Entra ID directory overview page > Security > Authentication Methods and click on Add external method (Preview)

  3. Fill in the following fields:

    • Name — the authentication method name that will appear onscreen for your users. This name cannot be changed after clicking Save.

    • Client ID — the Client ID of the External authentication method app you created above.

    • Discovery Endpoint — Enter the Metadata URL from the External authentication method app you created above.

    • App ID — App ID from the External authentication method app you created above.

  4. Enable and Target — Switch on Enable radio button.

  5. Click Add Target and add your users.

  6. Click Save.

Optional — Exclude from Registration Campaign

If your users have already enrolled, exclude users from a registration campaign that prompts users to set up Microsoft Authenticator.

  1. Go to ManageRegistration campaign

  2. Go to SettingsExcluded users and groups and select groups who won't need to be prompted.

  3. Click Save.

NOTE:

Users and administrators can register external authentication methods directly in the user's Microsoft account, separate from the login workflow. Learn more

Expected Endpoint Workflows

This section describes the expected workflow when first setting up their external authentication method, and subsequent logins.

  1. The user enters the URL of the app. Microsoft prompts the user to sign in.

  2. The user authenticates with Entra ID (typically with username and password).

  3. On the Let's keep your account secure page, the user clicks Next.

  4. The user may be prompted to install Microsoft Authenticator (see Optional — Exclude from Registration Campaign).

    The user clicks Next.

  5. On the Add a sign-in method page, the user clicks External Auth Methods.

  6. The Set up a sign-in method page, the page reads "You'll use Authentication Method Name to sign in." The name displayed here was selected during the Entra ID configuration above.

    The user clicks Next.

  7. On the Verify your identity page, the user clicks "Approve with Authentication Method Name"

  8. The user prompted for the second factor authentication method you configured above.

  9. After successful authentication, Microsoft's Sign-in method added screen opens.

    The user clicks Done.

  10. The user may be prompted to Stay signed in?

    The application opens.

  1. The user enters the URL of the application.

    Microsoft prompts the user to sign in.

  2. The user enters their username and password.

  3. The user prompted for the second factor authentication method you configured above.

  4. After successful authentication, the user may be prompted to Stay signed in?

  5. The application opens.