Single Sign On for the MAM Console

Imprivata enables Single Sign On access to your MAM admin console and other Imprivata Admin Consoles, all from the Imprivata Access Management portal (access.imprivata.com).

Enabling SSO to the MAM admin console requires that you:

  • Configure a connection to the Imprivata Cloud Platform.

  • Configure an identity provider (IdP) to authenticate users to the Imprivata Access Management portal.

IMPORTANT:

The MAM admin console only supports configuring one SAML provider.

If you use this method, it replaces any existing SAML configuration in your MAM environment.

Configure the Connection to the Imprivata Cloud Platform

Enabling SSO to the MAM Console requires that you configure a connection to the Imprivata Cloud Platform.

Imprivata Access Management Setup

  • Contact the Imprivata Services team. Imprivata Services will create the following items for you:

    • Your Imprivata Cloud Platform tenant. Imprivata Services sends a Welcome email with a link to Imprivata Cloud Tenant Setup. Click the link in the email and follow the wizard to configure the connection.

    • Identity Provider (IdP) Metadata URL. You will use this information in the MAM console to configure the SAML connection to the Imprivata Cloud platform in a later step.

IMPORTANT:

The Imprivata Access Management setup supports several Imprivata products on the Imprivata Cloud Platform.

Some steps may require information from the MAM admin console or your identity provider (IdP) console.

Some steps may not be required for configuring Imprivata Mobile Access Management.

Before You Begin

Before you begin, take note of the following.

  • Optional — a PNG, JPG, or GIF of your organization logo (200 x 100 pixels or smaller, max 100KB).

Configure an IdP to Authenticate Users to the Imprivata Access Management Portal

Enabling SSO to the MAM admin console requires that you configure an third-party IdP to authenticate administrators to the Imprivata Access Management portal.

NOTE:

You cannot use Imprivata as an internal IdP when configuring SSO for the MAM admin console.

You can configure Entra ID as an IdP to authenticate users to the Imprivata Access Management portal. You require access to the following to complete the configuration:

  • The Imprivata Cloud Tenant Setup.

  • The Microsoft Entra Admin center.

Save the Imprivata Service Provider Metadata

Using the Imprivata Access Management setup, copy the Imprivata SP metadata URL. You use this URL to save the metadata as an XML file, which you upload to your Entra app.

To save the metadata URL as an XML file:

  1. Open the Imprivata Access Management setup.

  2. If you have not already, agree to the Cloud Features Agreement and enter information about your organization.

  3. Go to the Identity Provider Connect screen.

  4. Copy the Imprivata SP metadata URL, paste it into a new browser tab, and save the page as an XML file.

  5. Do not close the wizard. You finish configuring the connection here after you configure your Entra app.

Configure the Entra ID App

Using the Microsoft Entra Admin center, configure the Entra ID app to support authentication into the Imprivata Access Management portal.

To configure the Entra app:

  1. In the Entra app, click Microsoft Entra ID > Manage > Enterprise Applications > New application.

  2. Click Create your own applications.

  3. Enter a display name for the application, select Integrate any other application you don't find in the gallery, and then click Create.

  4. Go to Overview > Assign users and groups, and add the users/groups who require administrative access to the Imprivata Access Management portal.

  5. Click Set up single sign-on, and select SAML as the single sign-on method.

  6. Click Upload metadata file and upload the Imprivata SP metadata file you created previously.

  7. Under Basic SAML Configuration, click Edit, specify https://access.imprivata.com for the single sign-on URL, and then click Save and Close.

Copy and Save Entra App Values

Using the Microsoft Entra Admin center, copy and save the following Entra app values. You use the following values to finish the configuration in the Imprivata Cloud Tenant Setup:

  • The URL endpoint of federation metadata.

  • The SAML name/value pair that identifies users with administrative access.

To locate the required values:

  1. In the Entra app, go to SAML certificates, and copy the App Federation Metadata URL.

  2. Under Atttributes & Claims, click Edit.

  3. If one does not already exist, click Add a group claim.

    BEST PRACTICE:

    Use Group ID as the source attribute.

  4. Copy the claim name for groups.

    Example: http://schemas.microsoft.com/ws/2008/06/identity/claims/groups

  5. Locate the group of users that should have adminstrator access and copy the Object ID.

  6. Return to the Imprivata Cloud Tenant Setup to finish the configuration.

Use the Entra App Values to Finish the Configuration

Using the Imprivata Access Management setup, finish configuring Entra ID as an IdP using the Entra app values saved previously.

To finish the configuration:

  1. Open the Imprivata Access Management setup, and go to the Identity Provider Connect screen.

  2. Enter the SAML IdP metadata URL of the Entra app, and click Continue.

  3. Paste the administrator group's claim name into SAML attribute name.

  4. Paste the administrator group's Object ID into SAML attribute value, and click Continue.

  5. Click Go to Access URL: access.imprivata.com to test the authentication workflow to access the Imprivata Access Management portal.

NOTE:

Specifying a metadata URL allows for easier maintenance. The system automatically polls the URL at regular intervals. This ensures that your IdP configuration stays up to date with the latest metadata, such as certificate changes. If you upload a metadata file instead, the system does not update it automatically. From the Imprivata Access Management portal, you must edit the configuration to replace the file manually or switch to a URL.

The following are generic steps to configure any external third-party IdP to authenticate users to the Imprivata Access Management portal. For example, these steps apply to Ping Identity and Okta.

To configure your IdP:

  1. Open the Imprivata Cloud Tenant Setup wizard.

  2. If you have not already, agree to the Cloud Features Agreement and enter information about your organization.

  3. Go to the Identity Provider Connect screen.

  4. Copy the Imprivata SP metadata URL and provide it to your IdP. When configuring the IdP's application:

    • Specify https://access.imprivata.com for the single sign-on URL.

    • Recommended: configure email address as the NameID format for user identity.

    • Recommended: configure Group ID (rather than group name) as the source attribute for group claims.

  5. Enter the SAML IdP metadata URL, and click Continue.

  6. Enter the SAML name/value pair that identifies users with administrative access, and click Continue.

  7. Click Go to Access URL: access.imprivata.com to test the authentication workflow to access Imprivata Access Management.

Configure MAM SAML Settings

In the MAM admin console, configure SAML settings to connect to Imprivata Access Management.

Using the MAM admin console:

  1. Navigate to Admin > SAML.

  2. Switch the SAML Single Sign-on setting to ON. The Configure SAML Single Sign-on dialog opens.

  3. In Identity Provider Display Name box, type a user-friendly display name for the Imprivata Cloud platform.

  4. In the Get Metadata XML from your Identity Provider section, paste the metadata URL you received from the Imprivata Services team. This is the Identity Provider (IdP) Metadata URL referenced in the Imprivata Access Management setup section above.

  5. Click Save.

Expected Authentication Workflow

The following details the expected authentication workflow:

  1. In your browser, go to the Imprivata Access Management portal (access.imprivata.com).

  2. Enter a username you associated with administrator access.

    The Imprivata Cloud Platform uses the administrator domain to locate your tenant in the cloud.

  3. The IdP you configured launches the authentication workflow for this user.

  4. After you successfully authenticate, click Launch to open the MAM admin console without further authentication. If you have any other Imprivata products configured (and this user has access), their admin consoles are also available to launch from this page.