Before you begin:

• Review the Imprivata OneSign Supported Components in the Imprivata Environment Reference to confirm that your thin client models and firmware versions are supported.

• An Imprivata OneSign Authentication Management (AM) or Imprivata OneSign AM/Single Sign–On (SSO) license is required for this workflow.

This workflow is designed to be persistent and requires Citrix Sessions to be configured to Logout on disconnect in your Citrix Environment. Reconnecting to existing Fast User Switching sessions can result in PHI exposure.

The URL required to configure the thin client connection to Citrix depends on how users are to access the Citrix store:

• Storefront Web Site URL – If the store is configured with a Web Site Store URL, the thin client communicates with Citrix using the respective URL.

  Example: If the store is configured with https//example.com/Citrix/SalesStore, then configure the thin client connection with https//example.com/Citrix/SalesStoreWeb.

• XenApp Services URL – If the store is configured with a XenApp Services URL, the thin client communicates with Citrix using the respective URL.

  Example: If store is configured with https://example.com/Citrix/SalesStore/PNAgent/config.xml, then configure the thin client connection with https://example.com/Citrix/SalesStore/PNAgent/config.xml.

Additional Citrix configuration is required to support native connections to Citrix StoreFront stores. The Citrix store must be configured with the following authentication methods to support Imprivata OneSign:

• User name and password

• Domain pass-through

• HTTP basic — Even if the store is configured for HTTPS, this authentication method is required.

To configure the required authentication methods:

1. Open Citrix Studio.

2. Go to Citrix StoreFront > Receiver for Web.

3. Select the store you want to manage.

4. In the Store Web Receiver pane, click Choose Authentication Methods.

5. Click Add/Remove Methods and enable the required methods.

If Automatically reconnect on session end is enabled, the thin client keeps a Citrix session established, even when the endpoint is not in use. For example, the thin client automatically establishes a Citrix session and launches the published application when the thin client starts, a user logs off, or the Citrix session times out.

Although keeping a session established streamlines the end user workflow, the thin client always consumes a Citrix license, as detailed by the following:

1. The kiosk workstation starts and establishes a Citrix session using generic user credentials.

   • Establishing a Citrix session consumes a license.

   • Although the Epic session is established, the generic user is not authenticated.

2. The workstation remains unlocked and displays the Imprivata login window.

   • Epic is the only application available on the workstation.

   • While Epic runs under the generic credentials, a Citrix license remains consumed.

3. User 1 (Nurse) authenticates to Imprivata OneSign and begins working in Epic.

   The same Citrix license remains consumed.

4. User 1 completes their work and taps their proximity card.

5. • The Citrix session remains open.

   • Based on the computer policy settings, user 1 is either logged off or Epic is secured.

5. User 2 (Doctor) authenticates to the kiosk workstation.

   • The Imprivata Connector for Epic Hyperdrive executes the user switch.

   • User 2 is logged into Epic.

6. User 2 completes their work and taps their proximity card.

   • The Citrix session remains open.

   • Based on the computer policy settings, user 2 is either logged off or Epic is secured.

7. If the user closes Epic, the Citrix license is released.

8. The thin client automatically establishes another Citrix session using the generic user credentials.

   While the workstation remains unlocked, a Citrix licensed is consumed.

If Automatically reconnect on session end is disabled, the thin client does not establish a Citrix session when it starts or the user session ends. Instead, the endpoint prompts the user to start the session.

Although re-establishing the Citrix session to launch the application can take longer than launching it from an established connection, a Citrix license is only consumed when the endpoint is in use, as detailed by the following:

1. The kiosk workstation starts.

   • The thin client prompts users to start a session.

   • A Citrix license is not consumed while the workstation remains unused.

2. User 1 (Nurse) clicks Connect now.

   The thin client establishes a Citrix session using the generic user credentials:

   • Establishing a Citrix session consumes a license.

   • Although the Epic session is established, the generic user is not authenticated.

3. The workstation is unlocked and displays the Imprivata login window.

   • Epic is the only application available on the workstation.

   • While Epic runs under the generic credentials, a Citrix license remains consumed.

4. User 1 authenticates to Imprivata OneSign and begins working in Epic.

   The same Citrix license remains consumed.

5. User 1 completes their work and taps their proximity card.

6. • The Citrix session remains open.

   • Based on the computer policy settings, user 1 is either logged off or Epic is secured.

6. User 2 (Doctor) authenticates to the kiosk workstation.

   • The Imprivata Connector for Epic Hyperdrive executes the user switch.

   • User 2 is logged into Epic.

7. User 2 completes their work and taps their proximity card.

   • The Citrix session remains open.

   • Based on the computer policy settings, user 2 is either logged off or Epic is secured.

8. If the user closes Epic, the Citrix license is released.

9. The thin client prompts users to start a session.

   A Citrix license is not consumed while the workstation remains unused.

Session persistence (roaming) can result in users obtaining an incorrect session when moving from one shared workstation to another.

To prevent roaming, you can take one of the following actions:

• Create a unique generic user for each shared workstation in the environment.

• Disable session roaming in Citrix workspace control.

A generic user account is required to log into the thin client and establish a session with the published application. When adding the generic user to your user directory, consider the following:

• These credentials are only used to automatically log in and deliver the published application.

• The generic user account must have access to the Citrix Delivery group that references the machine catalog of the application.

• To support Citrix SAML connections for fast user switching, the generic user account must be enrolled in Imprivata OneSign.

Use the Imprivata ProveID Embedded configuration editor to configure each thin client as a single application kiosk.

To enable the setting:

1. From the thin client, open a terminal.

2. Type the following:

   /usr/lib/imprivata/runtime/bin/configuration-editor vdi --single-application-kiosk true

3. Press Enter.

Configure the thin client to connect to the published application using the generic user credentials.

To configure the connection:

1. Connect to the device through an SSH session.

2. Type the following command:

   /usr/lib/imprivata/bin/python /usr/lib/imprivata/runtime/bin/fus-storage citrix -u <GenericUser> -d <GenericUserDomain> -p '<GenericUserPassword>' -s https://<CitrixStoreURL> -r PublishedApplicationName [--saml]

   Note regarding the optional --saml argument:

   • To enable SAML connections for fast user switching (FUS) for this thin client, include the --saml argument. Otherwise, omit that argument.

   • Citrix SAML connections for fast user switching for a thin client can also be enabled in the Agent VDI section of the ProveID Embedded configuration for that thin client, as described in ProveID Embedded Configuration Editor.

   Examples:

   • Storefront Website URL

     /usr/lib/imprivata/bin/python /usr/lib/imprivata/runtime/bin/fus-storage citrix -u exampleuser -d imprivatainc -p 'Pa$$word' -s https//example.com/Citrix/SalesStoreWeb -r application

   • XenApp Services URL

     /usr/lib/imprivata/bin/python /usr/lib/imprivata/runtime/bin/fus-storage citrix -u exampleuser -d imprivatainc -p 'Pa$$word' -s https://example.com/Citrix/SalesStore/PNAgent/config.xml -r application

3. Press Enter.

Install the Imprivata Citrix or Terminal Server agent (type 3) on the Citrix server that is delivering the published application.

For more information on installing the Imprivata agent, see Deploying the Imprivata Agent.

Install the Imprivata Connector for Epic Hyperdrive on all of the servers that are delivering Epic. Consider the following:

• The same Imprivata Connector for Epic Hyperdrive installer supports both 32-bit and 64-bit operating systems.

• The Imprivata Connector for Epic Hyperdrive can only be used with one version of Epic on a given workstation.

To install:

1. Run the installer (ImprivataConnectorforEpicHyperspace.msi).

   The installer automatically detects the version of Hyperspace installed and installs the appropriate Imprivata Connector for Epic Hyperdrive files for that version. If multiple versions of Hyperspace are detected or if Hyperspace is not installed, the Imprivata Connector for Epic Hyperdrive installer prompts you to select one version of Epic.

2. Restart the server.

The Imprivata Connector for Epic Hyperdrive is automatically installed in the same directory in which the Imprivata agent is installed. The default directory is:

• 32-bit — C:\Program Files\Imprivata\OneSign Agent\EpicConnector

• 64-bit — C:\Program Files (x86)\Imprivata\OneSign Agent\EpicConnector

Create the User Policy

To create the user policy:

1. In the Imprivata Admin Console, click Users > User policies.

2. Click Add, and enter a policy name.

3. Go to the Desktop Authentication section, and select the allowed authentication methods.

   NOTE: The additional Imprivata ID settings that are available in the Authentication method options section do not apply to Secure Walk Away.

4. Save the policy.

Assign the User Policy

To assign users to the policy:

1. In the Imprivata Admin Console, click Users > Users.

2. Do one of the following:

   • Manually select users, and then click Apply Policy.

   • Click Bulk Actions > Assign User Policies to download a sample CSV file.

3. Modify this file to map multiple users to the policy, and then import it.

Create the Computer Policy

To create a computer policy:

1. In the Imprivata Admin Console, go to the Computers menu > Computer Policies page.

2. Click Add, and then enter a name for the computer policy.

3. On the Shared Workstation tab, go to the Kiosk Workstations section.

4. Select Allow Fast User Switching with Citrix or Terminal Servers.

5. Do one of the following:

   • To have the thin client start the Citrix session, select Automatically reconnect on session end.

   • To have users start the Citrix session, deselect Automatically reconnect on session end.

6. Select one of the following in the Windows Authentication section:

• Authenticate using Windows

• Authenticate using Imprivata

  This setting skips Windows authentication, and is useful if the kiosk workstation is not in a trusted domain.

7. On the Connector for Epic tab, go to the Epic single sign-on workflows > Workstation single sign-on section, and select Epic Only.

8. Select either Log out of Epic and switch Epic user (tap over) or Secure Epic and switch Epic user (tap over).

9. Click Save.

Assign the Computer Policy

There are a number of different ways to assign a computer policy. Computer policy assignment rules are an efficient method. They let you assign the policy to multiple workstations at once, and are automatically applied to computers that are added to the enterprise later.

To assign the computer policy:

1. In the Imprivata Admin Console, click Computers > Computer policy assignment.

2. At the top of the assignment pane, select a Site location and Schedule the frequency at which the rule runs. This setting applies to all assignment rules.

3. Click Add New Rule, and name it.

4. Select one of the following options:

   1. Active directory groups — Select one or more groups to add. When you close the group selection window the rule displays the number of groups you chose.

   2. Active directory OUs (Organizational Units) — Select one or more OUs to add. When you close the group selection window the rule displays the number of OUs you chose.

   3. Computer IP address — Enter the range of IP addresses to include in this computer policy

   4. Computer host name — A computer matches if its host name contains the text entered in this field

   5. Imprivata agent type — Choose an agent type from the list

5. Select a policy from Apply this computer policy.

6. Click Save.

To create the computer policy:

1. In the Imprivata Admin Console, go to the Computers menu > Computer policies page.

2. Click Add and name the policy.

3. On the Citrix or Terminal Server tab, go to the Fast User Switching section.

NOTE: The settings in the section Authenticating generic user or anonymous Citrix XenApp or Terminal Server sessions are not used in a ProveID Embedded environment.

4. Under Endpoints with an installed ProveID Embedded agent, select Allow Fast User Switching with the remote server if allowed in computer policy.

5. Save the policy and assign it to the Citrix server.