SAML Settings

The SAML configuration enables administrators to configure SAML fo to enable Single Sign On (SSO) option. When administrators use SAML to configure SSO, the configuration immediately changes the authentication methods for the server.

IMPORTANT:
The SAML configuration may change the authentication method at a server-level and the change is immediate. Imprivata recommends that you follow this procedure in a scheduled maintenance session to prevent down-time for your users.
TIP:
Create a local administrator to maintain access to your server in case the configuration locks you out. Remember to contact Imprivata Customer Service if you encounter any problems.

This document contains the requirements and step-by-step guide on how administrators set up SAML to configure SSO.

Requirements

To complete the configuration ensure that you meet the following requirements. If these requirements are not met, the configuration will fail and you risk down-time for your users.

  • Permissions and Access

    • You must be an administrator at server-level to access to the SAML configuration page.

    • You must have access to your Identity Provider (IdP) configuration.

  • Authentication Methods

    • Your Identity Provider (IdP) must be able to request MFA to your users.

  • Server Version:

    • Your server must be version 23.1.12 or higher. Find your version at the footer of your server's Administrator Console.
      Contact success@imprivata.com to receive assistance in updating your server.

Failing to meet these requirements results in errors during the configuration.

Step-by-Step Guide

The SAML configuration occurs in the following stages:

  1. Download your server's data.

  2. Upload your server's XML to your Identity Provider (IdP).

  3. Configure SSO in your server.

    NOTE:

    Imprivata VPAM now automatically update Azure Entra ID (formerly Azure Active Directory) SAML signing certificates during key rollovers. This automation removes the need for manual certificate updates. The system also supports multiple active certificates to ensure continuous SSO authentication during transitions.

  4. Finalize the configuration.

Each step is its own process and administrators must follow each one properly to secure the configuration.

Your server's data is an XML file that contains a data schema request. The XML file contains the fields and the structure that your Identity Provider (IdP) must export. To download your server's XML file:

  1. Open the System Admin tab in your server.

  2. Hover the Settings menu.
    A drop-down list displays.

  3. Select SAML Settings.
    The SAML Settings Page displays.

  4. Click Download SP Metadata.xml at the top of the pane.
    The download starts automatically.

  5. Wait for the download to complete.
    After the download is complete, continue with the next step.

NOTE:
The server's XML file you download contains references that VPAM requires from your Identity Provider (IdP). From this point, Imprivata recommends that you continue with your internal IdP SME.

The process to upload your server's XML file to your IdP changes depending on which IdP you use. Navigate your IdP documentation to upload your server's XML and download your IdP Metadata file. Contact your IdP manager for assistance.

Your IDP Metadata file must contain the following information, otherwise, the SAML configuration may fail:

  • EntityID

  • Endpoints

    • Single Sign On Service Endpoint

    • Single Logout Service Endpoint

  • Public X.509 Certificate

  • Name ID Format

  • Organization Information

  • Contact Information

To finalize the configuration, return to your SAML Settings Page and Upload your IDP Metadata file. Complete the SAML Settings Page considering the following table.

IMPORTANT:
Ensure that you read the Advanced Settings section in this document to prevent errors when configuring your SAML settings.
Attribute Description
Enable SAML Authentication

Enables your server to configure SAML.
Make SSO the default login option

Enables your users to authenticate with SSO.
Require MFA Validation from IDP for SSO Users

This feature is primarily used for Imprivata to validate MFA has been met for Nexus Connections when the remote user's server is configured with SAML Authentication. Checking this box will prevent users from being able to Log Into their VPAM user during the SSO step if the internal IdP does not contain valid secondary authentication SAML metadata when completing SSO.

Important: When you select this option, you must provide accurate details in the Advanced Settings section to ensure users do not get locked out.
Enable Group Sync if groups are provided Assigns new users that sign in with SAML/SSO to a User Group based on their assigned group in your IdP.
Enable Role Sync if roles are provided Assigns new users that sign in with SAML/SSO to acquire a User Role based on their assigned group in your IdP.
Sign-On URI

Define your server's entrypoint to your IdP.
Logout URI Define your server's logout URI from your IdP.
IDP Signing Certificate Define a credential (token) for your server to your IdP.
This field autocompletes when you upload your IDP Metadata.
Default Role assigned when no linked roles found Define a User Role for users users that sign in, but they don't have a role assigned in your IdP.
Default User Group assigned when no linked groups found Define a User Group for users users that sign in, but they don't have a group assigned in your IdP.

Advanced Settings

Imprivata recommends that you create a locally authenticated system admin user before modifying any settings to prevent being locked out of your VPAM server.

The Advanced Settings section contains the fields in the following list.

  • NameID Format: Define the expected schema (format) when your server's enforces MFA through your IdP.

  • Required authentication level: Define the MFA expected response from the user that attempts to sign in or log in.

  • SAML Auth Context reference: Specify the structure in which your server and your IdP relate a single user's identity and authentication.

  • Entity ID for the server: Provide the name of your server exactly as you provided it for your IdP to grant access to the user database.

  • Excluded Role Names from Role Sync: Provide the types of user roles that do not receive an automatic role when signing in to your server.

To submit the changes to your server, click Submit on the SAML Settings Page.

After your server reloads the page, ensure that your IdP manager also refreshes your IdP authorizations for previously signed on users. If you do not refresh your authorizations directly on the IdP, the system will lock.