Managing Domains (Directories)
The domains list on the Directories page (Imprivata Admin Console > Users menu) displays the domains from which you have imported users.
Use the Directories page to:
-
Edit a domain record — Click any domain name to open the domain record for editing. To edit a domain record, see Each domain name is also a link to view and edit the record for that domain..
-
Add a new domain — You can add as many domains as you need, of a variety of directory types. See Adding a Network Domain.
-
You can also import non-domain users by creating a virtual domain called an Imprivata Directory Domain. Imprivata Directory Domains are detailed in Creating Imprivata Accounts for Non-Domain Users.
Working with an Imprivata Domain
Each domain name is also a link to view and edit the record for that domain.
Editing a Domain Record
To edit the information in an Imprivata domain, click the domain name on Directories page to open a domain record editing form.
Finding Domain Users
To search for a list of user accounts from an Imprivata domain:
- Click the name of the domain to be searched.
- From the domain record, click Find Domain Users. The Users page opens, displaying only the users from that domain.
Deleting a Domain
Super Administrators can delete a domain from the domain record by clicking the trash can icon.
If you are using Imprivata Enterprise Access Management (formerly Imprivata OneSign) Single Sign-On (SSO), then deleting an Imprivata domain is a major operation. When you delete an Imprivata domain, you delete all user records and all of their application credentials; the original user directory is unaffected.
You can add the domain again, but you will have destroyed all user application credentials. If the users do not remember their credentials, then they cannot log in to the applications through SSO.
Before deleting any Imprivata domain, it is a good idea to be sure you have a recent backup of the Imprivata database. You back up the Imprivata database from the Imprivata appliance; the procedure is detailed in Back Up the Imprivata Database.
You cannot delete the domain in which you are a member.
Implementing a Domain Password Policy
At the bottom of the domain record is the Password Policy section for implementing a domain password policy. Imprivata applications permit password policies that automate the changing of strong passwords for domains.
A domain password policy is a security feature. When a domain password policy is in effect, the domain passwords change frequently and are never known by users.
Domains with users who authenticate to an Imprivata application by finger biometrics, Smart Card, or ID token AND who never authenticate by password can have the additional security of an automated password policy.
You can implement a password change policy by selecting Implement Password Change Policy? A password change policy changes the user’s passwords at an interval that you set. Users will not know their new passwords and be forced to authenticate by whatever strong authentication method you assigned in their user policies.
-
To implement a password policy in a domain, the connection must use an Administrator account and SSL must be in use.
-
Domain users who authenticate by password are unaffected by domain password policy.
Using TLS to Establish Trust with an LDAP Server
You need a certificate for any operation where users change passwords, including the Imprivata OneSign Self-Services option, which allows users to reset their primary authentication password (the password they use to authenticate to OneSign) and to view their application passwords.
To establish communication between the Imprivata appliance and an LDAP directory server, Imprivata must trust a TLS certificate from the directory server.
If Use TLS for secure connection is selected the first time you try to connect to a domain, then Imprivata queries the directory for a certificate and displays it for acceptance.
All subsequent connections to the directory use the first valid certificate accepted.
You can manually upload a different certificate if you have a third-party certificate to use for the TLS connection. To upload a different certificate, browse to it and upload it from the Directory Server Certificate line.
You can import certificates from every directory controller with which the Imprivata appliance communicates with, or you can import a root certificate to cover all appliances.
To use a presented or uploaded certificate to establish trust with the domain:
-
From the domain record, click the certificate link next to Directory server certificate to see the current list of trusted certificates.
-
As a best practice, we recommend using a root certificate. If this is not possible or desirable, you must add certificates from peer directories by editing the Host name field and clicking Save. Alternatively, you can use the Browse... and Upload feature.
You can delete an unneeded certificate by clicking the trashcan icon beside it.
NOTE:If a certificate expires, you need to upload a new certificate.
Adding a Network Domain
NOTE: Each Imprivata site can communicate with any external server on the network, but sites usually connect to local directories. The user account information from each directory is replicated across all appliances in the site and across the enterprise, so there is no need to connect to user directories that are local to other Imprivata sites.
If you need to add users from a user directory that is not yet set up as an Imprivata domain, you can configure the new Imprivata domain with this procedure.
-
Select the type of user directory — Imprivata can synchronize with directory types listed in Select the directory server type and click Next. .
-
Set connection parameters — This step is slightly different for each user directory type.
To start the process:
-
On the Directories page, click Add. The Add New Imprivata Domain page opens.
MS Active Directory
To set the connection parameters:
-
In the Domain name field, enter the directory server DNS name.
-
Fill in the Host name field with the fully qualified hostname or the IP address of the directory server.
-
Enter the Username and Password of a user with Administrator privileges on the domain.
-
Select Use TLS for secure communication to ensure you do not transmit credentials from the Imprivata appliance over the network in clear text.
-
In the NetBIOS name field, enter the NetBIOS form of the domain name. If you are unsure, you can use the Look-up feature to have Imprivata look it up for you.
When you go to the next page or if you use the Look-up feature, the Imprivata appliance will automatically connect to the user directory and may present a certificate acceptance dialog box. Imprivata saves this connection information.
-
To enforce SSL connections when the primary directory is unavailable, import the certificates for all peer directories as well:
-
In the same form, before continuing, delete the original hostname and enter the hostname of the peer.
-
Click Look-up next to the NetBIOS Name field.
-
When you are prompted with the certificate, accept it.
-
Repeat for each peer.
-
-
Set the hostname back to the original user directory and continue by clicking Synchronize Users.
-
If you are using Kerberos security, then a Kerberos keytab file is required.
-
Click Next.
-
After you set connection parameters, the rest of the procedure is the same as the procedure for Synchronize to an Existing Domain.
-
You can configure a password policy for the domain; see Implementing a Domain Password Policy.
The new domain appears on the Directories page.
