Imprivata OneSign Single Sign-On

Imprivata OneSign® Single Sign-On (SSO) helps to solve password management and user access issues. Imprivata OneSign SSO enables single sign-on to legacy, client/server, SAML 2.0 apps, and web applications without requiring custom scripting, changes to existing directories, or inconvenient end-user workflow changes.

NOTE: Imprivata supports Single Sign-On for applications in Microsoft Internet Explorer, Google Chrome, and Edge Chromium browsers. For more information, see Support for Applications that Run in Google Chrome and Support for Applications that Run in Edge Chromium.

SSO is a Imprivata OneSign licensed feature. If your Imprivata enterprise is licensed for SSO, the Imprivata Admin Console includes an SSO page with tools for managing application profiles.

Imprivata OneSign also supports Single Sign-On for SAML 2.0 applications. See Imprivata Web SSO — SAML 2.0.

Overview of Imprivata OneSign SSO

The Imprivata agent is installed on an endpoint computer or virtual machine; it monitors authentication behavior from user workstations and Citrix servers and periodically uploads the information to the Imprivata server.

The Imprivata agent captures and proxies all credentials to enabled applications and permits authentication of users. Authenticated users have single sign-on access to their OneSign-enabled applications.

The Imprivata agent downloads credential and application information from the Imprivata server at login and then periodically checks for updates at an interval you set in the Imprivata Admin Console system settings. When a user authenticates to Imprivata OneSign, the user is automatically authenticated to Imprivata OneSign-enabled applications as they are launched: the application presents a login screen, and the Imprivata agent proxies the user’s application credentials.

The Imprivata agent must be installed and running on any computer that you use for profiling applications.

NOTE: There is one exception to this rule: if all applications that require SSO are hosted on a Citrix or Microsoft terminal server, then you can provide SSO to them through the Imprivata Citrix agent, described in Imprivata Agent Types.

The Imprivata agent is detailed in About the Imprivata Agent.

The Imprivata agent uses application profiles to recognize applications and to capture and proxy credentials. You generate application profiles with the Imprivata OneSign Application Profile Generator (Imprivata OneSign APG). The Imprivata OneSign APG is detailed in Draft Application Profiles.

What is an Application Profile?

An Imprivata OneSign Application Profile allows the Imprivata agent to recognize and respond to authentication requests from a given application. You must have a profile for any application for which you want to enable single sign-on. An application profile is a list of screens that the application might present to a user, and the information that allows the Imprivata agent to recognize each screen and respond to it correctly.

AppProfiles.XML

Application profiles are recorded in AppProfiles.XML, which is an XML file stored on the Imprivata OneSign server. Whenever the user authenticates to OneSign, the user’s Imprivata agent downloads the most recent AppProfiles.XML.

In addition to generating application profiles with the Imprivata OneSign APG, you can import profiles to your AppProfiles.XML file.

NOTE: AppProfiles.xml contains information about each application as well as settings that affect all application profiles. Directly editing AppProfiles.XML is risky. If you make a mistake and the file does not conform to the schema, none of the profiles will work. Always use the Imprivata OneSign APG when editing application profiles.

Keeping Profiles Current

The Imprivata agent checks the Imprivata OneSign server for profile updates at the refresh interval set in the Imprivata Admin Console Properties page. If the profiles have changed, then the Imprivata agent downloads the latest application profiles from the Imprivata OneSign server.

The agent also downloads profiles:

  • When the user first logs in

  • When the Imprivata agent connects to Imprivata server during refresh

  • When the user manually updates data from the Imprivata agent

  • When the new user logs into the shared workstation

When an application profiled with the Imprivata OneSign APG is launched:

  1. The application opens a screen that requires credentials.

  2. The Imprivata agent compares the screen to the screen information in the most recent application profiles.

  3. If the Imprivata agent recognizes the screen, then the agent proxies credentials on behalf of the user, according to the information in the application profile.

  4. Depending on the profile, the agent may submit the responses automatically, or leave the filled-in form or application dialog box on the desktop awaiting the user’s action.

NOTE: If this is the first time the user authenticates to the application after it has been enabled, then the Imprivata agent captures and stores the user’s credentials. Credential capture only happens the first time the user authenticates or manually changes a password.

Single sign-on only works if the information in the application profile is adequate for the Imprivata agent to recognize the screen and proxy the credentials. The Imprivata OneSign APG is a tool for generating the profile. The Imprivata OneSign APG learns the application screens as they are presented, while noting fields and selections for input, controls for actions, and your responses. The Imprivata OneSign APG provides tools to make sure that you get high-quality and reproducible screen recognition, credential capture, and credential proxying results.

Changing Passwords

An application profile can also include information about the screens for changing passwords. If the application opens a password-change screen and the profile is configured to handle password changes, then the Imprivata agent recognizes the password-change screen and proxies the current password. Then it either captures the user’s new password or responds to the screen with a new, random, auto-generated password, if that option is selected in the application profile.

Imprivata OneSign SSO Help Topics

The following help topics provide the procedures and background information you need to deploy and manage application profiles for use with Imprivata OneSign SSO: