Single Sign On for the MAM Console

Imprivata enables Single Sign On access to your MAM admin console and other Imprivata Admin Consoles, all from the Imprivata Access Management portal (access.imprivata.com).

Enabling SSO to the MAM admin console requires that you:

  • Configure a connection to the Imprivata Cloud Platform.

  • Configure an identity provider (IdP) to authenticate users to the Imprivata Access Management portal.

IMPORTANT:

The MAM admin console only supports configuring one SAML provider.

If you use this method, it replaces any existing SAML configuration in your MAM environment.

Configure the Connection to the Imprivata Cloud Platform

Enabling SSO to the MAM Console requires that you configure a connection to the Imprivata Cloud Platform.

Imprivata Access Management Setup

  • Contact the Imprivata Services team. Imprivata Services will create the following items for you:

    • Your Imprivata Cloud Platform tenant. Imprivata Services sends a Welcome email with a link to Imprivata Cloud Tenant Setup. Click the link in the email and follow the wizard to configure the connection.

    • Identity Provider (IdP) Metadata URL. You will use this information in the MAM console to configure the SAML connection to the Imprivata Cloud platform in a later step.

IMPORTANT:

The Imprivata Access Management setup supports several Imprivata products on the Imprivata Cloud Platform.

Some steps may require information from the MAM admin console or your identity provider (IdP) console.

Some steps may not be required for configuring Imprivata Mobile Access Management.

Before You Begin

Before you begin, take note of the following.

  • Optional — a PNG, JPG, or GIF of your organization logo (200 x 100 pixels or smaller, max 100KB).

Configure an IdP to Authenticate Users to the Imprivata Access Management Portal

Enabling SSO to the MAM admin console requires that you configure an third-party IdP to authenticate administrators to the Imprivata Access Management portal.

NOTE:

You cannot use Imprivata as an internal IdP when configuring SSO for the MAM admin console.

You can configure Entra ID as an IdP to authenticate users to the Imprivata Access Management portal. You require access to the following to complete the configuration:

  • The Imprivata Cloud Tenant Setup.

  • The Microsoft Entra Admin center.

Save the Imprivata Service Provider Metadata

Use the Imprivata Access Management setup to create the Imprivata SP metadata file. You require this file when configuring the Entra ID enterprise application.

To create the metadata file:

  1. Open the Imprivata Access Management setup.

  2. Agree to the Cloud Features Agreement and enter information about your organization.

  3. Skip to the Identity Provider Connect screen.

  4. Copy the Imprivata SP metadata URL, paste it into a new browser tab, and save the page as an XML file.

Do not close the setup. You finish configuring the connection here after you configure the enterprise application.

Configure the Entra ID App

An Entra ID enterprise application is required to allow SAML-based SSO to the Imprivata Access Management portal.

To configure the enterprise application:

  1. From the Azure portal, go to Microsoft Entra ID.

  2. Click Manage > Enterprise Applications > New application.

  3. Click Create your own application.

  4. Enter a name for the application, select Integrate any other application you don't find in the gallery, and then click Create.

  5. From the Overview page, click Assign users and groups, and then add the Imprivata admin user group.

  6. Go to the Overview page, click Set up single sign-on, and then select SAML.

  7. Click Upload metadata file, and upload the Imprivata SP metadata file you created previously.

  8. Under Basic SAML Configuration, click Edit, and enter the following Sign on URL: https://access.imprivata.com.

  9. Save the settings.

Copy and Save Entra App Values

Copy and save required federation and group attribute values from the enterprise application. You will use these values to complete the SAML configuration and specify the Imprivata admin group.

To locate the required values:

  1. Go to SAML certificates, and copy the App Federation Metadata URL.

  2. Under Attributes & Claims, click Edit, and copy the claim name for the user groups value.

    Example: http://schemas.microsoft.com/ws/2008/06/identity/claims/groups

    NOTE:

    If the user group claim does not exist, create it. When creating it, select Groups assigned to the application and use Group ID as the source attribute.

  3. Return to the Microsoft Entra ID Overview page.

  4. Click Manage > Groups >All groups.

  5. Locate the admin group and copy its object ID.

Return to the Imprivata Access Management setup to finish the configuration.

Use the Entra App Values to Finish the Configuration

With the federation and group attribute values you had previously saved, use the Imprivata Access Management setup to finish the SAML configuration and specify the Imprivata admin group.

To finish the configuration:

  1. Open the Imprivata Access Management setup, and return to the Identity Provider Connect screen.

  2. Enter your organization's domain and a user-friendly display name.

  3. Enter the SAML IdP metadata URL from the enterprise application, and click Continue.

  4. Enter the user group claim name in to SAML attribute name.

  5. Enter the object ID of the admin group in to SAML attribute value, and click Continue.

    If you are specifying multiple admin groups, the object IDs must be comma-separated.

  6. Click access.imprivata.com to log in to the Imprivata Access Management portal.

NOTE:

Specifying a metadata URL allows for easier maintenance. The system automatically polls the URL at regular intervals.

This ensures that your IdP configuration stays up to date with the latest metadata, such as certificate changes.

If you upload a metadata file instead, the system does not update it automatically. From the Imprivata Access Management portal, you must edit the configuration to replace the file manually or switch to a URL.

The following are generic steps to configure any external third-party IdP to authenticate users to the Imprivata Access Management portal. For example, these steps apply to Ping Identity and Okta.

To configure your IdP:

  1. Open the Imprivata Cloud Tenant Setup wizard.

  2. If you have not already, agree to the Cloud Features Agreement and enter information about your organization.

  3. Go to the Identity Provider Connect screen.

  4. Copy the Imprivata SP metadata URL and provide it to your IdP. When configuring the IdP's application:

    • Specify https://access.imprivata.com for the single sign-on URL.

    • Recommended: configure email address as the NameID format for user identity.

    • Recommended: configure Group ID (rather than group name) as the source attribute for group claims.

  5. Enter the SAML IdP metadata URL, and click Continue.

  6. Enter the SAML name/value pair that identifies users with administrative access, and click Continue.

  7. Click Go to Access URL: access.imprivata.com to test the authentication workflow to access Imprivata Access Management.

Configure MAM SAML Settings

In the MAM admin console, configure SAML settings to connect to Imprivata Access Management.

Using the MAM admin console:

  1. Navigate to Admin > SAML.

  2. Switch the SAML Single Sign-on setting to ON. The Configure SAML Single Sign-on dialog opens.

  3. In Identity Provider Display Name box, type a user-friendly display name for the Imprivata Cloud platform.

  4. In the Get Metadata XML from your Identity Provider section, paste the metadata URL you received from the Imprivata Services team. This is the Identity Provider (IdP) Metadata URL referenced in the Imprivata Access Management setup section above.

  5. Click Save.

Configure MFA for the Imprivata Access Management Portal

By default, Imprivata Identity administrators authenticate to the Imprivata Access Management portal using a single-factor (password).

  • You can strengthen security by requiring a password + Imprivata ID.

  • Before enabling multifactor authentication (MFA), be sure that administrators have enrolled Imprivata ID to prevent unintentional lock outs. Imprivata Identity administrators can use My Imprivata Identity (https://access.imprivata.com/self-service) to enroll additional authentication methods.

NOTE:

If you have configured SAML-based authentication through a third-party identity provider (IdP), MFA to the Imprivata Access Management portal is managed by the IdP.

To configure MFA:

  1. Log into the Imprivata Access Management portal (access.imprivata.com).

  2. Click the gear icon > Security.

  3. From Imprivata Access Management, select a security level that meets the needs of your organization.

  4. Click Save.

NOTE:

For more information about security levels, see the context-sensitive help that is available in the Imprivata Access Management portal.

Expected Authentication Workflow

The following details the expected authentication workflow:

  1. In your browser, go to the Imprivata Access Management portal (access.imprivata.com).

  2. Enter a username you associated with administrator access.

    The Imprivata Cloud Platform uses the administrator domain to locate your tenant in the cloud.

  3. The IdP you configured launches the authentication workflow for this user.

  4. After you successfully authenticate, click Launch to open the MAM admin console without further authentication.

    If you have any other Imprivata products configured (and this user has access), their admin consoles are also available to launch from this page.