Imprivata OneSign Authentication for Smart Cards or USB Tokens with External Certificates

Smart cards provide two-factor authentication by combining a user PIN with a pre-programmed smart card. This topic describes smart cards with certificates issued by an external agency. Imprivata OneSign authenticates users through a third-party application rather than Windows. For more information see Imprivata OneSign Authentication for Smart Cards or USB Tokens with Microsoft Active Directory (AD) Certificates.

You assign smart card authentication (and all other authentication methods) through the Imprivata OneSign User Policies that you assign to each user.

Enforcing Smart Card Certificate Validity

You have the option to prohibit authentication with these smart cards if the card certificate has expired. To do this, select it under Options.

Smart card certificate information is displayed in and can be deleted from the user record as shown in the following image:

Revoking Smart Card Authentication Privileges

Revoke smart card authentication privileges through the Imprivata OneSign User Policies that you assign to each user. Create a different user policy and assign it to the user.

You can enforce the use of smart cards with an external certificate for desktop access in specific Computer Policies, overriding the User Policy.

  1. In the Imprivata Admin Console, go to your computer policy > Override and Restrict tab > Desktop Access Authentication Restrictions.
  2. Select Restrict user policy.
  4. Scroll down and select Smart Card or USB token using external certificate. Allow temporary use of conditional primary methods, if needed.
  6. (Optional) In the section Authentication method options > Smart card using external certificate, select Allow smart card enrollment and authentication only while certificate is valid.
  8. Click Save.

Smart cards with externally issued certificates cannot be used for authentication to Imprivata OneSign until the card certificate has been mapped to a user during an enrollment process. Enrollment occurs during the login/unlock process.

  1. The user inserts a smart card to authenticate to the network. The PIN dialog opens.
  2. The user enters a valid PIN.
  3. Imprivata OneSign does not recognize the certificate as one mapped to a user. Imprivata OneSign displays the Enroll smart card login or unlock dialog, and prompts the user to enter a valid domain password:
  4. The user enters username and password. The PIN dialog opens a second time.
  5. The user enters a valid PIN. Imprivata OneSign validates the certificate and maps the User Principal Name from the certificate to the user.

To log into Imprivata OneSign, the user inserts the card or token into the reader and then enters the associated PIN. The user’s Imprivata OneSign experience is no different from users with any other authentication method.

The authentication process is straightforward. To authenticate via smart card:

  1. When the Windows Log On screen opens, insert the smart card into the smart card reader. The Imprivata Smart Card Login window opens.
  2. Enter your PIN to enable the smart card. Repeated failure to correctly enter the PIN may disable the smart card.

When you are authenticated, the login window closes.

If you have multiple authentication options, you first see the Imprivata OneSign login screen. To log in by smart card, ignore the listed options and insert your smart card as described in the preceding procedure.