1. Introduction

1.1 Purpose

This document defines the reference architectures for Epic Community Connect1 Epic is a registered trademark of Epic Systems Corporation. (ECC) hosts integrating Epic Hyperdrive with Imprivata Enterprise Access Management for SSO and MFA, including Electronic Prescribing for Controlled Substances (EPCS). Use it to select a directory and trust model, a Hyperdrive delivery model, and decide whether the host or each ECC site controls EPCS.

1.2 Audience

This guide is written for ECC host architects and implementation teams, plus ECC site IT teams and Imprivata teams supporting the deployment. Readers should be familiar with EAM (appliances, agents, connectors, Confirm ID), Epic concepts (Hyperdrive, Slingshot, ECC, EPCS), and basic application virtualization (Citrix/VDI).

1.3 Scope

The scope includes authentication directory strategy, Hyperdrive delivery models, EPCS authority models, protocol and identity configurations (LDAP, non-LDAP, OIDC, SAML, Entra ID/ROPC), shared enterprise designs, cross-site user considerations, and thin-client/VDI scenarios in ECC environments. Epic build details, customer-specific legal advice, and detailed commercial terms are out of scope.

1.4 How to Use This Document

Use this guide as a design framework rather than a strict blueprint.

1. Start with Section 2 to choose the identity source, protocol, and trust model.

2. Use Section 3 to select the closest "most likely" configuration.

3. Use Sections 4-6 to confirm directory design, delivery details, and EPCS ownership.

1.5 Outcomes

When you’re done with this document, you should be able to answer each of the following questions:

1. Which directories will ECC users authenticate against for endpoint access, Epic Hyperdrive and EPCS authentication (host directory, ECC site directory, or both)?

2. How does the Imprivata Connector is configured to retrieve user credentials (LDAP and non-LDAP)?

3. How does the Imprivata Connector authenticate into Epic Hyperdrive (password or SAML)?

4. How is Epic Hyperdrive launched (local install vs published via application virtualization)?

5. Where must the Imprivata agent and Imprivata Connector be installed (endpoint, virtual session host, or both)?

6. Which EAM instance (host-provided vs ECC site-provided) will provide EPCS authentication?

7. Is Slingshot required for the chosen Epic Hyperdrive delivery model, and which Slingshot access method is used (calculated password, pass-through, interactive)?

8. What directory trust model is required between host and ECC site directories (one-way, two-way or none), and why?

9. What endpoint types are required (Type 1 vs Type 2) to support shared workstations and cross-site users?

10. How will cross-site users authenticate at both host and ECC sites (accounts and EPCS enrollment)?

1.6 Glossary

Active Directory (AD): Microsoft directory used for user accounts, groups, and Windows logon.

Application virtualization: Delivering Hyperdrive through a published remote session (for example, Citrix) instead of installing it locally.
Used when: Hyperdrive runs on a session host, not the endpoint.

Authentication: The first identity check that grants access (endpoint logon, virtualization logon, or Epic login).

Citrix: A common application virtualization platform used to publish Hyperdrive.

Clinical workflows: In-Epic actions that require identity confirmation beyond login (step-up or witness).

Confirm ID: Imprivata’s authentication factor service used for MFA and step-up workflows (including EPCS).

Cross-site user: A user who works at more than one org boundary (host and one or more ECC sites).
Used when: deciding identity source, trust needs, and whether EPCS enrollment must work in more than one place.

Directory: The identity store for users and groups, typically AD and/or Entra ID.

Domain: The identity realm being referenced. It can mean an AD domain or an Entra ID tenant. For trusts, it means an AD domain.
Used when: describing where an identity is valid and whether trust is required.

Double hop: Two remote hops (endpoint → published desktop → published application)

EAM (Enterprise Access Management): Imprivata platform used for endpoint SSO, MFA, workflow reauthentication, and Epic integrations.

EAM instance: A specific EAM deployment (appliances, policies, directory integration, agents, connectors).

ECC (Epic Community Connect): Epic model where a host shares its Epic instance with other organizations.

ECC site: An organization that accesses the host’s Epic through ECC.

ECC-dedicated application virtualization: Hyperdrive is published from a host-managed virtualization environment dedicated to one ECC site. (separate from the host’s virtualization environment).
ECC-shared application virtualization: Hyperdrive is published from a host-managed managed virtualization environment shared by multiple ECC sites (separate from the host’s virtualization environment).

Electronic Prescribing for Controlled Substances (EPCS): Requires higher assurance and authentication at signing.

Endpoint: The workstation or device the user interacts with (shared or assigned).

Endpoint type (Type 1 / Type 2):

• Type 1 endpoint: private or assigned device, usually tied to a single primary user.

• Type 2 endpoint: shared workstation used by many users. Allows for fast-user switching through EAM.

Entra ID: Microsoft cloud identity directory (formerly Azure AD). Used for SSO as an Identity Provider.

EPCS provider: A prescriber who needs EPCS authentication.

Host: The organization that runs the Epic instance.

Host-shared application virtualization: Hyperdrive is published from the host-managed virtualization environment shared by host and ECC site users.
Used when: the host centralizes virtualization operations and standardizes delivery.

Hosted Infrastructure as a Service (IaaS): Systems running in cloud (not on local hardware).

Hyperdrive (Epic Hyperdrive): Epic’s client application used to access Epic Hyperspace Web.

Identity Provider (IdP): System that authenticates the user and issues SAML and OIDC assertions.

Local install (Hyperdrive): Hyperdrive runs on the endpoint, not in a published session.

LDAP: Method for Imprivata Connector to authenticate user into Epic Hyperdrive.

Multifactor Authentication (MFA): Requires at least two or more distinct credentials (e.g. password, biometric, one-time password, PIN)

Named user: Person-specific account used for access and audit (not a shared/generic account).

Non-LDAP (Epic non-LDAP in EAM): Method for Imprivata Connector to authenticate user into Epic Hyperdrive when Epic username is different than the EAM username. Epic credentials must be captured from the user.

OpenID Connect (OIDC): Token-based authentication on OAuth 2.0. Typically used for EPCS workflows.
Published application: Hyperdrive is delivered through application virtualization and runs on a session host.

Published application: Application installed on a centralized remote server.

Reauthentication: Security process of requiring a user to authenticate again during an active session for higher-risk actions (e.g. Imprivata Clinical Workflows).

Resource Owner Password Credentials (ROPC): OAuth 2.0 flow where an application collects a username/password and exchanges it for an access token.

SAML: Method for the Imprivata Connector to authenticate user into Epic Hyperdrive through Generic Authentication API.

Service Provider (SP): The application that relies on the Identity Provider. For SAML-based Epic login, Epic is the service provider.

Session host: The server that runs published applications or desktops and hosts the user session.

Single sign-on (SSO): Using an existing authentication event to log into desktops or Epic without retyping credentials.

Slingshot: Locally installed Hyperdrive running in "Slingshot" mode for published Hyperdrive that launches the virtual session and supports SSO configurations.
Used when: Hyperdrive is published through application virtualization, when there are multiple hops and session persistence is needed.

• Calculated password: a generic account and password value is derived or provided to support launching Hyperdrive in a published session.

  Used when: enabling launch configurations where the published session needs a credential to start.

• Interactive: the user completes an interactive authentication step during launch.
  Used when: pass-through or calculated options do not fit the security model.

• Pass-through: an upstream authentication is reused to launch the published session and Hyperdrive.
  Used when: aiming for tap-and-go behavior into published Hyperdrive.

Slingshot Launcher: Imprivata application installed by the Imprivata Connector for Epic Hyperdrive to launch Slingshot passing named credentials for single sign-on.
Used when: Slingshot is not configured for pass-through or calculated password.

Standard user: A user who needs SSO to endpoints and Epic Hyperdrive, but does not need EPCS authentication.

Trust (AD trust): Relationship between AD domains that allows one domain to accept identities from the other. One-way or two-way.
Used when: cross-site users must log into endpoints or session hosts joined to the other domain.

Virtual Desktop Infrastructure (VDI): A virtualized desktop session that users connect to remotely. Often used alongside published application delivery configurations.