Using Shared Credential Stores

When two or more APG-profiled applications must share credentials, you can create a credential store. Imprivata Enterprise Access Management uses credential stores to manage these application credentials centrally. When users update their credentials for one application, Imprivata Enterprise Access Management updates the credentials for all applications listed in the credentials store.Click View/Edit to see the list of shared credential stores and the respective applications that share credentials in a specific store.

There are several benefits to shared credentials:

  • When a user enrolls to any one of the sharing applications, the user is automatically enrolled in all of them.

  • Changes made to the credentials through any of the applications that share it are propagated to all the sharing applications.

  • Applications with two profiles—one for Microsoft Internet Explorer and one for Google Chrome or Edge Chromium—can share one set of credentials.

NOTES:

  • All application profiles in a credential store should have the same number and type of profiled credential fields. For example, an application that requests a user name, password, and domain at login, should not share credentials with an application that requests a user name and password only. If any application has more fields than another application profiled in the store, then choose Ignore This Field in the Meaning in Imprivata OneSign column when profiling the application.

  • To use the multiple accounts feature for applications that share credentials with other applications, see Using Multiple Accounts with a Credential Store.

You can configure application profiles to share with the domain only or with the domain and with other applications. This procedure is for configuring an application profile to share with the domain only. To set up a credential store that shares credentials with the domain and with other applications, see Sharing Credentials with Other Applications and with the Domain.

To configure an application to share credentials with the domain:

  1. From the Applications List, open the Application Record of the application that is to share credentials with the domain.

  2. Select Deploy this Application. The deployment options appear.

  3. Select This application shares credentials?

  4. Select with the domain only.

  5. Deselect Do not update the user's domain password in OneSign if the applicable password changes. Clearing this option allows users’ domain passwords to be updated when application passwords change. This feature is not supported if you are using the CSV-file-based Imprivata Domain.

  6. Select the appropriate username format for your domain.

    • SAM account name (jsmith)

    • UPN name. Supports the implicit UPN user name format (jsmith@example.com) and UPN name formats that contain user name and suffix strings explicitly defined by the Active Directory administrator (john_smith@example.lab.eng or john.smith@example.lab.eng).

      For more information on implicit and explicit UPN user name formats, see your Microsoft Windows documentation.

    • NetBIOS name (example\jsmith)

  7. Click Save and continue deploying the application.

To configure one or more applications to share credentials with the domain:

  1. From the Applications List, open the Application Record of any application that is to share credentials with other applications.
  2. Select the Deploy this Application option. The deployment options appear.
  3. Select the This application shares credentials? option.
  4. Select with other applications option.
  5. A New Store and a list of existing Imprivata OneSign credential stores appear.

  6. NOTES:

    • The Multiple Accounts section and the Password Policy section become unavailable. Applications that share credentials in a credential store must configure these options through the credential store. See Using Multiple Accounts with a Credential Store.
    • If the credential store is new, then the application profile’s multiple accounts and password policy settings are carried into the new credential store. If the profile is joining an existing credential store, then the profile inherits the existing credential store settings for these features.
  7. Select a credential store from the list, or click New Store to create a credential store.
  8. If you are creating a store, enter a name and click OK. After you create a credential store, it is available in the list of credential stores for all applications.
  9. Click Save.

NOTE: A credential store can only exist while it has application profiles assigned to it. If you disable credential sharing for all of the applications that share credentials or delete the profiles of all applications that share credentials, then the credential store is deleted.

To configure applications to share credentials with other applications and with the domain:

  1. From the Applications List, open the Application Record of any application that is to be a part of this credential store by clicking on its name. Do not edit the profile.
  2. Select the Deploy this Application option. The deployment options are displayed.
  3. Select the This application shares credentials?
  4. Select with other applications.
  5. The New Store button and a list of existing Imprivata OneSign credential stores appear.

    7. NOTES:

    • The Multiple Accounts section and the Password Policy section below the Credentials section become unavailable. Applications that share credentials in this credential store must configure these options through the credential store as detailed in Using Multiple Accounts with a Credential Store.
    • If the credential store is new, then the application profile’s multiple accounts and password policy settings are carried into the new credential store. If the profile is joining an existing credential store, then the profile inherits the existing credential store settings for these features.
  7. To create a new credential store, click New Store. The New Store dialog box opens.
  8. Enter a name for the credential store. After you create a credential store, it is available in the list of credential stores for all applications.

    9. NOTE: A credential store can only exist while it has application profiles assigned to it. If you disable credential sharing for all of the applications that share credentials or delete the profiles of all applications that share credentials, then the credential store is deleted.

  9. Select the This store shares credentials with the domain option. [Domain Credentials] is displayed in the list of shared applications.
  10. Applications that share credentials with the domain and with other applications appear in the list of Shared Applications:
  12. Click OK to save the new credential store.

To edit a credential store:

  1. In the Imprivata Admin Console, go to ApplicationsCredential stores.
  2. Click the name of the shared credential store to open the credential store record.

    3. NOTE: You can review all credential stores from the deployment page of any application profile within a credential store. You can also edit a credential store from that list. When you edit a credential store from the credential stores list within an application profile deployment page, you have access to all credential stores but no changes are saved until you save the deployment selections at the bottom of the deployment page. At that time, only the changes to the last edited credential store are saved.

If the multiple accounts feature is to be used with any of the applications in a credential store, then you must configure the multiple accounts feature from within the credential store. Here you can implement a Credential Store Password Policy.

At the bottom of the Multiple Accounts section is an option asking if two or more applications span the same physical application. This option is displayed only when a credential store includes support for multiple accounts. This situation is described in Shared Applications.

In very rare cases you may need to have two profiles for the same application. An example of this is when an application uses two different screen types that are incompatible with any Imprivata application profile. Enterprise Access Management needs to know that the two profiles are actually for the same application:

  1. Create two application profiles.
  2. Connect them both with one Imprivata OneSign credential store.
  3. In either application profile, go to CredentialsEdit Store. The Edit Credential Store screen opens.
  4. In the Shared Applications section, select Do two or more of the profiles listed below span the same physical application? A drop-down list is displayed.
  5. Select a Physical Application Group to pair the two profiles together. A Physical Application Group is simply a way to label the parts of the common application with a number.

This feature is detailed in Ensuring the Agent Learns the Correct User’s Credentials. The behavior for a shared credential store is the same as the behavior for a single application, except that the feature must be controlled from the credential store rather than in any individual application.

This feature does not apply to applications that share credentials with a domain. It does not restrict users managing their own passwords.

If you want to use a password policy for the applications in a credential store, configure the password policy from within the credential store. Implementing a password policy from within a credential store is identical to the procedure detailed in Implementing a Password Policy.

If an application profile with a password change policy is assigned to a credential store, then the credential store inherits the password policy for all applications in the credential store. You can no longer edit the password policy settings from the application record. You must edit the password policy settings from the credential store.