Entra ID Hybrid-Domain Joined Devices

Healthcare Seamless SSO

Healthcare Seamless SSO extends Microsoft Entra ID seamless SSO (formerly Azure Active Directory Seamless SSO) to shared clinical workstations. Using desktop tap-and-go capabilities, Imprivata users can single sign-on into enterprise web-based Microsoft Office 365 and Microsoft Azure Marketplace applications.

Imprivata OneSign Integrated RunAs is used to launch Google Chrome browsers under the context of the Imprivata user accessing Office 365.

Why is it useful to healthcare customers?

With Healthcare Seamless SSO, Imprivata Enterprise Access Managementand Microsoft are able to bridge the on-premises SSO solution that Enterprise Access Management provides to the Office 365 cloud SSO solution using Microsoft Entra ID with the use of modern authentication standards. Healthcare Seamless SSO increases clinical productivity, collaboration, and return on investment by providing a nearly "passwordless" experience for clinicians who often need to access Office 365 online collaboration tools without needing to enter a username and password.

How is the environment configured?

Click to enlarge.

Entra only support

In the environment:

  • Microsoft Entra ID seamless SSO is configured and running normally, independent of Imprivata Enterprise Access Management.

    For additional information on deploying Microsoft Entra ID seamless SSO, see the Microsoft Entra ID documentation.

  • The Imprivata shared kiosk workstation agent is deployed to the shared clinical workstations.

  • The Imprivata OneSign Integrated RunAs custom shortcut for Office 365 is available on the desktop.

For other supported configurations, see Entra ID Hybrid-Domain Joined Devices.

NOTE: If you require assistance configuring Microsoft Entra ID for Seamless SSO, contact your Microsoft account representative.

The following table summarizes how Imprivata Enterprise Access Management and the Microsoft technologies in the environment are configured:

Technology Configuration
Office 365

  • Microsoft Entra ID and/or ADFS is functioning as the Identity Provider.
Microsoft Entra ID

  • Microsoft Entra ID is implemented in a hybrid model: "Hybrid Azure AD join".

    • Managed Domains must be configured to use Seamless SSO.

    • Federated Domains must be configured to use ADFS.

    For more information, see "Common scenarios and recommendations" in the Microsoft documentation.

  • Allow full control permission for C:\Users\<Generic User>

  • Add any work/school account

  • Microsoft Entra ID must be enabled for Seamless SSO.

    For more information, see the Microsoft documentation.
Delivery environment

  • Validated on Windows 10 local and remote desktops.

  • The domain in which the Imprivata Enterprise Access Management users are members must have a trust relationship with the endpoints domain.
Imprivata OneSign

  • An Imprivata with SSO Single Sign–On license is required.

  • Imprivata appliance 6.2 or later.

  • Imprivata agent 6.2 or later.
Imprivata OneSign Integrated RunAs custom shortcut

  • Google Chrome with Windows 10 Account Extension

    Target path example:

    "C:\Program Files (x86)\Imprivata\OneSign Agent\ISXRunAs.exe" /profile "C:\Program Files (x86)\Google\Chrome\Application\Chrome.exe" "https://outlook.office.com"

  • Web Client Outlook with Microsoft Edge Chromium

    Target path example:

    "C:\Program Files (x86)\Imprivata\OneSign Agent\ISXRunAs.exe" /profile "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" "https://outlook.com/owa/isxrunas.com"

Clinical workflow

The following describes an example clinical workflow.

A nurse taps their proximity card to authenticate to a shared workstation that is secured by Imprivata Enterprise Access Management.

  • The Imprivata Integrated RunAs custom shortcut to Office 365 Outlook is on the desktop.

  • The nurse opens the shortcuts to SSO into Outlook.

When the nurse is finished, they tap their proximity card to secure the workstation. All the applications that were in use by the nurse remain running, but are now secured behind the lock screen.

A physician taps their proximity card to authenticate to the shared workstation.

  • All of the nurse’s applications that were launched using Imprivata Integrated RunAs are automatically closed.

  • The physician opens the custom shortcut to access Office 365 Outlook.

When the physician is finished, they tap their proximity card to secure the workstation. All the applications that were in use by the physician remain running, but are now secured behind the lock screen.