Face Recognition as an Authentication Method

The setup wizard leads you through the following steps:

1. Agree to the Data Processing Addendum
2. In the Imprivata Admin Console, go to the gear icon > Imprivata Access Management integrations.
3. On the Imprivata Access Management integration page, you will see the following status message: Unable to verify integration. Unable to connect to Imprivata Access Management.
   On this page, copy the Enterprise integration ID to your clipboard.
4. In the Cloud Tenant Setup Wizard, paste the Enterprise integration ID.
5. Click Create integration token and then Copy integration token.
6. In the Imprivata Admin Console > Imprivata Access Management integration page, paste the integration token, and click Integrate.
7. To enable SSO to the Imprivata Control Center using your SAML IdP: Before you leave this page, select Administrator console single sign-on using SAML
8. Copy the Imprivata SP metadata URL and provide it to your IdP.
   NOTE:
   Sign On URL — https://access.imprivata.com
   Logout URL — copy your ACS URL, and replace /saml2/acs with /saml2/slo/redirect
   Recommended — Configure Group ID (rather than group name) as the source attribute for group claims.
9. Enter your IdP’s SAML metadata in the wizard.
10. Configure the groups that identify users with administrative access.
11. Add your organization’s business email address, user-facing name, and logo.

1. In the Imprivata Admin Console > Imprivata Access Management integration page, paste the integration token, and click Integrate.
2. Before you leave this page, select Administrator console single sign-on using SAML
3. Copy the Imprivata SP metadata URL.
4. In the Entra app, select Microsoft Entra ID > Manage > Enterprise applications and select New application. Then select Create your own application.
5. Enter a display name for your new application, select Integrate any other application you don’t find in the gallery, then select Create.
6. Go to Overview > Assign users and groups, and add users/groups.
7. Select Set up single sign-on.
8. Select SAML as the single sign-on method.
9. Click Upload metadata file and upload the Imprivata SP metadata file you created earlier.
10. For Basic SAML Configuration, provide the Sign on URL https://access.imprivata.com
11. For Logout Url, copy the Reply URL (Assertion Consumer Service URL) located higher up on the page and paste it, replacing /saml2/acs with /saml2/slo/redirect.
12. Click Save and close the Basic SAML Configuration applet
13. Under SAML Certificates, copy the App Federation Metadata Url.
14. Back in the Imprivata Setup Wizard, enter Entra’s SAML IdP metadata URL in the wizard.
15. Click Continue, which will take you to a page to configure security groups for admin access.

The next section asks you to configure SAML group claims to authorize administrators. Admins can modify the SAML configuration and generate additional integration tokens later.

1. In the Entra app, click Attributes & Claims > Edit
2. Click Add a group claim if there isn’t one already.
   Best Practice: use Group ID as the source attribute. Click Save.
3. Copy the claim name for groups from Entra ID
   (for example, http://schemas.microsoft.com/ws/2008/06/identity/claims/groups)
4. In the Imprivata setup wizard > Identity Provider: Connect page, paste the claim name into the field for SAML attribute name.
5. In the Entra app, copy the Object ID for a group that should have administrator access to Imprivata.
6. In the Imprivata setup wizard > Identity Provider: Connect page, paste the Object ID for SAML attribute value. You can enter multiple groups separated by commas.
7. In the Imprivata setup wizard, click Continue.
8. Add your organization’s business email address, user-facing name, and logo.
9. Click Continue to complete the wizard.
10. Click Go to access.imprivata.com to test your expected workflow for accessing the Imprivata Control Center.
11. At the login screen, enter an email address with the same domain you configured in the setup wizard, and click Continue.
    You will be redirected to your Entra ID login screen.
12. After authenticating with Entra ID, you will be redirected to your Imprivata Control Center.

You can also create the secure connection manually, after Imprivata Services has created a Cloud Tenant for your enterprise.

If you configured your SAML IdP, but did not complete the steps from the Cloud Tenant Setup Wizard to connect your Imprivata enterprise, you can still generate an integration token by logging into the Imprivata Cloud Platform from access.imprivata.com.

Before you begin, in the Imprivata Admin Console > Imprivata cloud services status panel, Access Management integration is “greyed out”.

1. In the Imprivata Admin Console, go to the gear icon > Imprivata Access Management integrations.
2. On the Imprivata Access Management page, you will see the following status message: Unable to verify integration. Unable to connect to Imprivata Access Management.
   On this page, copy the Enterprise integration ID to your clipboard.
3. Leave this console open, and in a separate browser window, log into the Imprivata Cloud Platform.
4. On the gear icon > Integrations tab, paste the Enterprise integration ID, and click Create integration token.
5. After the token appears onscreen, click Copy integration token.
6. Return to the Imprivata Admin Console > Imprivata Access Management page, and paste the integration token in the field provided, and click Integrate.
   When successful, the status message will read Integrated with Imprivata Access Management tenant, and your tenant ID is displayed. The Imprivata cloud services status panel on the Imprivata Admin Console also shows the new integration.

NOTE: This integration applies to every appliance in the enterprise.

NOTE: If you need to connect additional enterprises to this cloud tenant, or re-establish this connection, return to the Integrations tab to create an integration token again.

You can stop and restart this connection for the whole enterprise from any Imprivata Appliance Console, or on an appliance-by-appliance basis. The two statuses for the connection are Running or Disabled (stopped).

1. In the Imprivata Appliance Console, go to System > Operations > Imprivata Cloud Connect.
2. Imprivata Cloud Connect status is either Running or Disabled (stopped).
3. Select Stop/restart options.
4. Select from:
   1. Stop Imprivata Cloud Connect on this appliance
   2. Restart Imprivata Cloud Connect on this appliance
   3. Stop Imprivata Cloud Connect on all appliances
   4. Restart Imprivata Cloud Connect on all appliances
5. Click Go.

1. Go to Microsoft Entra ID > Manage > Security, and select Manage > Named locations.
2. Select IP ranges location.
3. Enter a name for the new location (“Imprivata Cloud”, for example) and select Mark as trusted location.
4. Add the following IP addresses:
   1. 44.207.16.175/32
   2. 44.196.189.191/32
   3. 34.195.47.118/32
5. Click Save.

If you use “per-user” multifactor authentication, then add the Imprivata Cloud Platform to the “per-user” MFA trusted IPs:

1. Go to Entra ID Overview > Manage > Users, and select Per-user multifactor authentication
2. Select the Service settings tab.
3. Add the same IP addresses from the Trusted Locations field, above:
   1. 44.207.16.175/32
   2. 44.196.189.191/32
   3. 34.195.47.118/32
4. Click Save.

1. Go to Entra ID Overview > Manage > Microsoft Entra Connect.
2. Select Connect Sync. Verify that Password Hash Sync is enabled.
   Otherwise, configure Password Hash Synchronization in the Microsoft Entra Connect Sync Agent.

Contact Imprivata Services. Services will create a Cloud Tenant for your enterprise, and send a Welcome email with a link to the Cloud Tenant Setup wizard. Click the link in the email and follow the wizard to complete the secure connection:

1. Click Get Started, then Continue. At the Connect Entra ID step, copy the Tenant ID from your Entra ID portal.
2. Enter the Tenant ID in the wizard, and click Continue to Entra ID Authentication.
3. You will be redirected to a Microsoft login. Log in as someone with Global Administrator or Privileged Role Administrator privileges.
4. You will be prompted to authorize Imprivata’s verified application with the following permissions:
   • Read all groups
   • Read all users’ full profiles
   • Read all group memberships
   • Sign in and read user profile
5. Click Accept to grant Imprivata Cloud access to the Entra ID tenant.

This step is needed if you are using federated authentication. The Imprivata Cloud Platform must be able to validate user passwords when typed in. In a federated environment, Imprivata needs to avoid these calls from being redirected to the federated identity provider (IdP). You must change the home realm discovery policy for authentication from the Imprivata Cloud to your Entra ID tenant only. This will only apply to authentication calls made by the Imprivata Astra Azure AD Sync application.

To create and apply the Home Realm Discovery policy:

1. Log in to Microsoft Graph Explorer. To make it more secure, log in as the Global Administrator.
2. Consent to the Microsoft Graph explorer application in your tenant.
3. For more information, see the Microsoft Graph API documentation.
4. Create a home realm discovery policy by making the following HTTP request:
   POST - https://graph.microsoft.com/v1.0/policies/homeRealmDiscoveryPolicies

Request body

In the request body, supply a JSON representation of the homeRealmDiscoveryPolicy object:

{
"displayName": "yourPolicyName",
"definition": [
"{\"HomeRealmDiscoveryPolicy\": 
{\"AllowCloudPasswordValidation\":true, } }"
],
"isOrganizationDefault": false
}

Response

If successful, this method returns a 201 Created response code and a new homeRealmDiscoveryPolicy object in the response body.

Example Response

 {
"@odata.context": "https://graph.microsoft.com/v1.0/$metadata#policies/homeRealmDiscoveryPolicies",
"value": [
{
"id": "239cbead-1111-654a-9f50-1467d691aaa",
"deletedDateTime": null,
"definition": [
"{\"HomeRealmDiscoveryPolicy\" : { \"AllowCloudPasswordValidation\":true, } }"
],
"displayName": "Exclude Federated Authentication ",
"isOrganizationDefault": false
}
]
}

4. Assign the home realm discovery policy to the Imprivata Astra Azure AD Sync application by making the following HTTP request:

POST – https://graph.microsoft.com/v1.0/servicePrincipals/<the Imprivata Astra Azure AD Sync application object id>/homeRealmDiscoveryPolicies/$ref

Request body

In the request body, supply the identifier of the homeRealmDiscoveryPolicy object that should be assigned.

{
"@odata.id":"https://graph.microsoft.com/v1.0/policies/homeRealmDiscoveryPolicies/<yourHomeRealmDiscovery_PolicyID>"
}

Response

If successful, this method returns a 204 No Content response code.

Verify that the home realm discovery policy was successfully applied to the service principal by making the following HTTP request:

GET – https://graph.microsoft.com/v1.0/policies/homeRealmDiscoveryPolicies/<homeRealmDiscoveryPolicy object id>/appliesTo

Response

{
"@odata.context": "https://graph.microsoft.com/v1.0/$metadata#directoryObjects",
"value": [
{
"@odata.type": "#microsoft.graph.servicePrincipal",
"id": "c1f8e0d4-25b0-46b2-aaa8-827822631a33",
...

Configure the secure connection between your Imprivata appliance and the Imprivata Cloud Platform. To confirm whether this connection is complete, on the Imprivata Admin Console, see the Status panel on the right-hand side. Look for a green checkmark icon for Access Management integration. Before you begin, Access Management integration is “greyed out”.

1. In the Imprivata Admin Console, go to the gear icon > Imprivata Access Management integrations.
2. On the Imprivata Access Management page, you will see the following status message: Unable to verify integration. Unable to connect to Imprivata Access Management.
   On this page, copy the Enterprise integration ID to your clipboard.
3. Leave this console open, and in a separate browser window, log into the Imprivata Cloud Platform.
4. On the Settings > System page, go to Enterprise Access Management integration, paste the Enterprise integration ID, and click Create integration token.
5. After the token appears onscreen, click Copy integration token.
6. Return to the Imprivata Admin Console > Imprivata Access Management page, and paste the integration token in the field provided, and click Integrate.
   When successful, the status message will read Integrated with Imprivata Access Management tenant, and your tenant ID is displayed. The Imprivata cloud services status panel on the Imprivata Admin Console also shows the new integration.NOTE: This integration applies to every appliance in the enterprise.

1. In the Enterprise Access Management Admin Console, go to the User policies page > Authentication tab > Desktop Access authentication section.
2. Select Face recognition as a primary factor.
3. Select a second factor for Face recognition:
   1. no second factor
   2. Security Key
   3. Imprivata PIN
   4. Password
   5. Proximity Card
   6. Security Key or Imprivata PIN or Proximity Card or Device-bound passkey
      
4. Select another primary factor if needed. For example, if users in this policy must authenticate via password where Face recognition authentication is not available.
5. Click Save.

Depending on the authentication methods defined in the user policy and computer policy, ensure that you have configured the appropriate grace periods for the second authentication factor.

For example, when using proximity cards as the second authentication factor, you can set a grace period for the second authentication factor after successful authentication, up to 24 hours 59 minutes.

The settings are available in the Authentication method options section of the Authentication tab in the Imprivata Admin Console.

Mobile Access Management organizations with Check Out using EAM as the Identity provider (IdP) create a host (computer) in EAM for every Launchpad registered. That computer in EAM gets a computer policy which must have a proximity card enabled to be able to perform a checkout with a proximity card tap.

• Confirm that there is no override in the computer policy that the Launchpads are assigned to.
• Confirm that the user policies your mobile users are assigned to allow proximity cards as a primary factor.

If both of the above conditions are true, no changes are needed. However, if an override is already enabled within the computer policy the Launchpads are in, ensure that Proximity Card is allowed in the override. If this is not possible or allowed for your organization, Imprivata suggests moving the Launchpads into a separate computer policy.

If you’ve performed the validations above, and computer policy changes are indeed needed for your environment, follow these steps.

1. In the Imprivata Admin Console, go to Computers > Computer policies and select the computer policy your Launchpad is using.
2. In Override and Restrict tab > Desktop Access Authentication Restrictions section, make sure that the option for Proximity Card is selected (enabled).