Face Recognition as an Authentication Method
Applies to iOS and Android devices.
Imprivata Mobile Access Management supports face recognition as an authentication method for device check out, using the integration with Imprivata Enterprise Access Management as the identity provider.
Face Recognition Authentication Methods for Device Check Out
Some combinations of authentication factors available in Imprivata Enterprise Access Management are not supported by Mobile Access Management for device Check Out.
The following table illustrates the EAM primary and secondary authentication method selections and the resulting Check Out behaviors in MAM when used with face recognition.
Primary | Secondary | Device Check Out Behavior |
---|---|---|
Check Out is initiated by the user taking a device out of the Smart Hub | ||
Face recognition |
Password |
|
Check Out is initiated by the user tapping their proximity card on a Launchpad | ||
Face recognition | Proximity Card |
|
Face recognition | Security Key or Imprivata PIN or Proximity Card |
|
Prerequisites
Take note of the following prerequisites:
-
Imprivata enabled the Check Out feature for your organization.
-
You have met the prerequisites for the Check Out and Password AutoFill features, including appropriate Imprivata licensing.
-
You configured the integration with Imprivata Enterprise Access Management as your identity provider (IdP).
Requirements
-
The Imprivata Cloud Connect service to your tenant on the Imprivata Cloud Platform must be up and running.
-
Users in a policy enabled for face recognition must be synced from Active Directory (AD) to Entra ID.
-
The cloud must be synced from AD to Entra ID with Entra Connect.
-
Users must already have their username and password enrolled with Imprivata Enterprise Access Management SSO, and they must have used their username and password against the Imprivata appliance at least once. This includes logging into their desktop, or logging into the Imprivata enrollment utility.
-
Internet access is required for facial biometric authentication.
If the device cannot connect with your Imprivata Cloud Platform, an error message will appear during authentication. In this scenario, the user can select another authentication method (password / Imprivata PIN, etc) to complete the authentication.
-
Imprivata Licensing: Face recognition authentication requires an Authentication Management license and a Confirm ID for Remote Access license.
-
Imprivata Locker app requirements:
-
iOS — Imprivata Locker for iOS 4.0 or later.
-
Android — Imprivata Locker for Android 2.0 or later.
-
The user must grant access to the device's camera to use face recognition.
-
Additional Resources
For more information, see the Imprivata Enterprise Access Management online help.
Before You Begin
Face recognition authentication for MAM requires:
-
The Imprivata appliances in your Imprivata enterprise must be running Imprivata Enterprise Access Management 25.2 or later.
For more information on upgrading your Imprivata appliances, see the Imprivata Upgrade portal.
-
Complete the connection between your Imprivata enterprise and your tenant on the Imprivata Control Center. See Secure Connection to Imprivata Cloud Platform.
Secure Connection to Imprivata Cloud Platform
Configure the secure connection between your Imprivata appliance and the Imprivata Cloud Platform. To confirm whether this connection is complete, on the Imprivata Admin Console, see the Status panel on the right-hand side. Look for a green checkmark icon for Access Management integration.
Setup Wizard
Contact Imprivata Services. Services will create a Cloud Tenant for your enterprise, and send a Welcome email with a link to the Cloud Tenant Setup wizard. Click the link in the email and follow the wizard to complete the secure connection.
Before You Begin
-
You need a PNG, JPG, or GIF of your organization logo (200 x 100 pixels or smaller, max 100KB).
-
You need access to your Imprivata Admin Console.
Wizarding Steps
The setup wizard leads you through the following steps:
-
Agree to the Data Processing Addendum
-
In the Imprivata Admin Console, go to the gear icon > Imprivata Access Management integrations.
-
On the Imprivata Access Management integration page, you will see the following status message: Unable to verify integration. Unable to connect to Imprivata Access Management.
On this page, copy the Enterprise integration ID to your clipboard.
-
In the Cloud Tenant Setup Wizard, paste the Enterprise integration ID.
-
Click Create integration token and then Copy integration token.
-
In the Imprivata Admin Console > Imprivata Access Management integration page, paste the integration token, and click Integrate.
-
To enable SSO to the Imprivata Control Center using your SAML IdP: Before you leave this page, select Administrator console single sign-on using SAML
-
Copy the Imprivata SP metadata URL and provide it to your IdP.
NOTE:-
Sign On URL —
https://access.imprivata.com
-
Logout URL — copy your ACS URL, and replace
/saml2/acs
with/saml2/slo/redirect
-
Recommended — Configure Group ID (rather than group name) as the source attribute for group claims.
-
-
Enter your IdP's SAML metadata in the wizard.
-
Configure the groups that identify users with administrative access.
-
Add your organization's business email address, user-facing name, and logo.

-
In the Imprivata Admin Console > Imprivata Access Management integration page, paste the integration token, and click Integrate.
-
Before you leave this page, select Administrator console single sign-on using SAML
-
Copy the Imprivata SP metadata URL.
-
In the Entra app, select Microsoft Entra ID > Manage > Enterprise applications and select New application. Then select Create your own application.
-
Enter a display name for your new application, select Integrate any other application you don't find in the gallery, then select Create.
-
Go to Overview > Assign users and groups, and add users/groups.
-
Select Set up single sign-on.
-
Select SAML as the single sign-on method.
-
Click Upload metadata file and upload the Imprivata SP metadata file you created earlier.
-
For Basic SAML Configuration, provide the Sign on URL
https://access.imprivata.com
-
For Logout Url, copy the Reply URL (Assertion Consumer Service URL) located higher up on the page and paste it, replacing
/saml2/acs
with/saml2/slo/redirect
. -
Click Save and close the Basic SAML Configuration applet
-
Under SAML Certificates, copy the App Federation Metadata Url.
-
Back in the Imprivata Setup Wizard, enter Entra's SAML IdP metadata URL in the wizard.
-
Click Continue, which will take you to a page to configure security groups for admin access.
The next section asks you to configure SAML group claims to authorize administrators. Admins can modify the SAML configuration and generate additional integration tokens later.
-
In the Entra app, click Attributes & Claims > Edit
-
Click Add a group claim if there isn’t one already.
Best Practice: use Group ID as the source attribute. Click Save.
-
Copy the claim name for groups from Entra ID
(for example,http://schemas.microsoft.com/ws/2008/06/identity/claims/groups
) -
In the Imprivata setup wizard > Identity Provider: Connect page, paste the claim name into the field for SAML attribute name.
-
In the Entra app, copy the Object ID for a group that should have administrator access to Imprivata.
-
In the Imprivata setup wizard > Identity Provider: Connect page, paste the Object ID for SAML attribute value. You can enter multiple groups separated by commas.
-
In the Imprivata setup wizard, click Continue.
Add your organization's business email address, user-facing name, and logo.
-
Click Continue to complete the wizard.
-
Click Go to access.imprivata.com to test your expected workflow for accessing the Imprivata Control Center.
-
At the login screen, enter an email address with the same domain you configured in the setup wizard, and click Continue.
You will be redirected to your Entra ID login screen.
-
After authenticating with Entra ID, you will be redirected to your Imprivata Control Center.

You can also create the secure connection manually, after Imprivata Services has created a Cloud Tenant for your enterprise.
If you configured your SAML IdP, but did not complete the steps from the Cloud Tenant Setup Wizard to connect your Imprivata enterprise, you can still generate an integration token by logging into the Imprivata Cloud Platform from access.imprivata.com
.
Before you begin, in the Imprivata Admin Console > Imprivata cloud services status panel, Access Management integration is "greyed out".
-
In the Imprivata Admin Console, go to the gear icon > Imprivata Access Management integrations.
-
On the Imprivata Access Management page, you will see the following status message: Unable to verify integration. Unable to connect to Imprivata Access Management.
On this page, copy the Enterprise integration ID to your clipboard.
-
Leave this console open, and in a separate browser window, log into the Imprivata Cloud Platform.
-
On the gear icon > Integrations tab, paste the Enterprise integration ID, and click Create integration token.
-
After the token appears onscreen, click Copy integration token.
-
Return to the Imprivata Admin Console > Imprivata Access Management page, and paste the integration token in the field provided, and click Integrate.
When successful, the status message will read Integrated with Imprivata Access Management tenant, and your tenant ID is displayed. The Imprivata cloud services status panel on the Imprivata Admin Console also shows the new integration.
NOTE:This integration applies to every appliance in the enterprise.
NOTE:If you need to connect additional enterprises to this cloud tenant, or re-establish this connection, return to the Integrations tab to create an integration token again.
Stopping and Restarting This Connection
You can stop and restart this connection for the whole enterprise from any Imprivata Appliance Console, or on an appliance-by-appliance basis. The two statuses for the connection are Running or Disabled (stopped).
-
In the Imprivata Appliance Console, go to System > Operations > Imprivata Cloud Connect.
-
Imprivata Cloud Connect status is either Running or Disabled (stopped).
-
Select Stop/restart options.
-
Select from:
-
Stop Imprivata Cloud Connect on this appliance
-
Restart Imprivata Cloud Connect on this appliance
-
Stop Imprivata Cloud Connect on all appliances
-
Restart Imprivata Cloud Connect on all appliances
NOTE:In this context, "Restart" means "start this stopped connection" and also "restart this connection that is already running".
-
-
Click Go.
Configure Microsoft Entra ID

-
Go to Microsoft Entra ID > Manage > Security, and select Manage > Named locations.
-
Select IP ranges location.
-
Enter a name for the new location ("Imprivata Cloud", for example) and select Mark as trusted location.
-
Add the following IP addresses:
-
44.207.16.175/32
-
44.196.189.191/32
-
34.195.47.118/32
-
-
Click Save.

If you use "per-user" multifactor authentication, then add the Imprivata Cloud Platform to the "per-user" MFA trusted IPs:
-
Go to Entra ID Overview > Manage > Users, and select Per-user multifactor authentication
-
Select the Service settings tab.
-
Add the same IP addresses from the Trusted Locations field, above:
-
44.207.16.175/32
-
44.196.189.191/32
-
34.195.47.118/32
-
-
Click Save.

-
Go to Entra ID Overview > Manage > Microsoft Entra Connect.
-
Select Connect Sync. Verify that Password Hash Sync is enabled.
Otherwise, configure Password Hash Synchronization in the Microsoft Entra Connect Sync Agent.
Configure Enterprise Access Management

Contact Imprivata Services. Services will create a Cloud Tenant for your enterprise, and send a Welcome email with a link to the Cloud Tenant Setup wizard. Click the link in the email and follow the wizard to complete the secure connection:
-
Click Get Started, then Continue. At the Connect Entra ID step, copy the Tenant ID from your Entra ID portal.
-
Enter the Tenant ID in the wizard, and click Continue to Entra ID Authentication.
-
You will be redirected to a Microsoft login. Log in as someone with Global Administrator or Privileged Role Administrator privileges.
-
You will be prompted to authorize Imprivata’s verified application with the following permissions:
-
Read all groups
-
Read all users’ full profiles
-
Read all group memberships
-
Sign in and read user profile
-
-
Click Accept to grant Imprivata Cloud access to the Entra ID tenant.

This step is needed if you are using federated authentication. The Imprivata Cloud Platform must be able to validate user passwords when typed in. In a federated environment, Imprivata needs to avoid these calls from being redirected to the federated identity provider (IdP). You must change the home realm discovery policy for authentication from the Imprivata Cloud to your Entra ID tenant only. This will only apply to authentication calls made by the Imprivata Astra Azure AD Sync application.
To create and apply the Home Realm Discovery policy:
-
Log in to Microsoft Graph Explorer. To make it more secure, log in as the Global Administrator.
-
Consent to the Microsoft Graph explorer application in your tenant.
For more information, see the Microsoft Graph API documentation.
-
Create a home realm discovery policy by making the following HTTP request:
POST - https://graph.microsoft.com/v1.0/policies/homeRealmDiscoveryPolicies
Request body
In the request body, supply a JSON representation of the homeRealmDiscoveryPolicy object:
Copy{
"displayName": "yourPolicyName",
"definition": [
"{\"HomeRealmDiscoveryPolicy\":
{\"AllowCloudPasswordValidation\":true, } }"
],
"isOrganizationDefault": false
}Response
If successful, this method returns a
201 Created
response code and a new homeRealmDiscoveryPolicy object in the response body.Example Response
Copy{
"@odata.context": "https://graph.microsoft.com/v1.0/$metadata#policies/homeRealmDiscoveryPolicies",
"value": [
{
"id": "239cbead-1111-654a-9f50-1467d691aaa",
"deletedDateTime": null,
"definition": [
"{\"HomeRealmDiscoveryPolicy\" : { \"AllowCloudPasswordValidation\":true, } }"
],
"displayName": "Exclude Federated Authentication ",
"isOrganizationDefault": false
}
]
} -
Assign the home realm discovery policy to the Imprivata Astra Azure AD Sync application by making the following HTTP request:
POST - https://graph.microsoft.com/v1.0/servicePrincipals/<the Imprivata Astra Azure AD Sync application object id>/homeRealmDiscoveryPolicies/$ref
Request body
In the request body, supply the identifier of the homeRealmDiscoveryPolicy object that should be assigned.
Copy{
"@odata.id":"https://graph.microsoft.com/v1.0/policies/homeRealmDiscoveryPolicies/<yourHomeRealmDiscovery_PolicyID>"
}Response
If successful, this method returns a
204 No Content
response code. -
Verify that the home realm discovery policy was successfully applied to the service principal by making the following HTTP request:
GET - https://graph.microsoft.com/v1.0/policies/homeRealmDiscoveryPolicies/<homeRealmDiscoveryPolicy object id>/appliesTo
Response
Copy{
"@odata.context": "https://graph.microsoft.com/v1.0/$metadata#directoryObjects",
"value": [
{
"@odata.type": "#microsoft.graph.servicePrincipal",
"id": "c1f8e0d4-25b0-46b2-aaa8-827822631a33",
...

Configure the secure connection between your Imprivata appliance and the Imprivata Cloud Platform. To confirm whether this connection is complete, on the Imprivata Admin Console, see the Status panel on the right-hand side. Look for a green checkmark icon for Access Management integration. Before you begin, Access Management integration is "greyed out".
-
In the Imprivata Admin Console, go to the gear icon > Imprivata Access Management integrations.
-
On the Imprivata Access Management page, you will see the following status message: Unable to verify integration. Unable to connect to Imprivata Access Management.
On this page, copy the Enterprise integration ID to your clipboard.
-
Leave this console open, and in a separate browser window, log into the Imprivata Cloud Platform.
-
On the Settings > System page, go to Enterprise Access Management integration, paste the Enterprise integration ID, and click Create integration token.
-
After the token appears onscreen, click Copy integration token.
-
Return to the Imprivata Admin Console > Imprivata Access Management page, and paste the integration token in the field provided, and click Integrate.
When successful, the status message will read Integrated with Imprivata Access Management tenant, and your tenant ID is displayed. The Imprivata cloud services status panel on the Imprivata Admin Console also shows the new integration.
NOTE:This integration applies to every appliance in the enterprise.

-
In the Enterprise Access Management Admin Console, go to the User policies page > Authentication tab > Desktop Access authentication section.
-
Select Face recognition as a primary factor.
-
Select a second factor for Face recognition:
-
Select another primary factor if needed. For example, if users in this policy must authenticate via password where Face recognition authentication is not available.
-
Click Save.

Depending on the authentication methods defined in the user policy and computer policy, ensure that you have configured the appropriate grace periods for the second authentication factor.
For example, when using proximity cards as the second authentication factor, you can set a grace period for the second authentication factor after successful authentication, up to 24 hours 59 minutes.
The settings are available in the Authentication method options section of the Authentication tab in the Imprivata Admin Console..

Mobile Access Management organizations with Check Out using EAM as the Identity provider (IdP) create a host (computer) in EAM for every Launchpad registered. That computer in EAM gets a computer policy which must have a proximity card enabled to be able to perform a checkout with a proximity card tap.
-
Confirm that there is no override in the computer policy that the Launchpads are assigned to.
-
Confirm that the user policies your mobile users are assigned to allow proximity cards as a primary factor.
If both of the above conditions are true, no changes are needed. However, if an override is already enabled within the computer policy the Launchpads are in, ensure that Proximity Card is allowed in the override. If this is not possible or allowed for your organization, Imprivata suggests moving the Launchpads into a separate computer policy.
If you've performed the validations above, and computer policy changes are indeed needed for your environment, follow these steps.