Configuring SSO in User Policy

NOTES:

  • These settings apply to applications profiled by the Imprivata APG only. Imprivata Web SSO applications are not affected.
  • These settings can be overridden by an application profile's deployment security settings. If this feature does not behave as expected, check the deployment settings of all application profiles available to users with this user profile.

Use the Single Sign-On tab of a user policy to:

  • Allow users SSO access to applications — To allow each user to which the user policy is assigned to SSO to applications, select Allow users single sign-on access to applications.

  • Allow users to bypass SSO to access applications — You can allow users of a user policy to bypass SSO when accessing applications. This is useful for Help Desk personnel working on a different user’s computer.

  • Each application profile includes separate authorization for this feature. This permission must be authorized both in the user policy AND in the application deployment security options as described in Allowing Users to Bypass Application SSO.

  • Resumption of SSO does not require re-authentication to EAM.

You can override user policy settings on specific computers with the Override User Policy feature available in computer policies.

If Offline Authentication is enabled for this user policy, then offline users can still enjoy single sign-on to their applications. This is particularly useful for employees who are often disconnected from the network, such as frequent travelers. The following image shows the Windows notification area icon for a user policy with Offline Authentication enabled:

The agent records all audit data and uploads it to the Imprivata server the next time the agent connects to the server.

If a user's SSO privileges are suspended, the offline agent honors the suspension. The following image shows the Windows notification area icon for a user policy with SSO suspended:

Limit Offline Single Sign-On Data Lifespan?

You can program a finite lifespan for single sign-on data used by offline-enabled users. This provides a guaranteed limit to how long an offline-enabled user can access the network if the user’s account was closed while the user was offline.

When the offline data lifespan limit is reached, the Imprivata agent deletes all cached credentials. Select the Limit offline single sign-on data lifespan and enter the number of days an offline-enabled user can access the network.

Users can use the Manage Passwords feature on the Imprivata agent menu to view and change application credentials. To enable this feature, select Display Manage Passwords command in the agent tray menu.

Allow Users to Modify and Delete Application Single Sign-On Credentials

This allows users to access the application credentials feature of the Self-Service Portal, or the Password Manager, described in The Imprivata Password Manager.

Access to application credentials is also configured in the application profile deployment security options. For a user to edit application credentials, the application must allow access AND the user policy must have the permission.

Access to application credentials in the Security settings of application profile deployment are detailed in Allowing Users to Modify/Delete Application Credentials section in the Security Settings.

Show Information About Managing Passwords in Balloon Tips

Imprivata Enterprise Access Management can provide helpful user-friendly information in balloon tips.

Users have the option to disable the balloon tips after seeing them the first time by deselecting the option on the balloon tip.

This allows users to access the application credentials feature of the Self-Service Portal or from the Password Manager, described in Single Sign-On.

Access to application passwords is also configured in the application profile deployment security options. For a user to reveal application passwords, the application must allow access AND the user policy must have the permission.

Access to application credentials in the Security settings of application profile deployment are detailed in Allowing Users to Reveal Application Passwords section in the Security Settings.

Require Users to Answer Security Questions to Reveal Application Credentials in Self-Service Portal

You can require users to answer security questions before they can reveal application credentials from the Imprivata Self-Services portal.

Users who have not enrolled in the Security Questions feature are required to confirm their identity with the login window. This action only confirms identity, it is not a network re-authentication. Failure to answer correctly does not end the user‘s session.

This setting has no effect on the Password Manager reached from the Imprivata agent menu.