Integrate Imprivata OneSign

Created: Modified: Checkout

Our Check Out feature requires customers to connect to a web service to handle the translation of badge IDs to user IDs. This document describes how to integrate with Imprivata OneSign for identity lookup. If you don’t have Imprivata OneSign, you may use a custom identity lookup service, described in a separate article.

  • You must use Launchpad 4.9.3 or greater for this functionality. Password Autofill is supported in GroundControl 5.0+.
  • You’ll need to have have followed the Check Out setup instructions in this guide, and that Check Out is working with our built-in GroundControl User Service.
  • Your proximity badge readers need to be configured to preserve parity bits, which is not the factory default. The OneSign Agent performs this operation automatically, so you can use any proximity badge reader that was previously used with Imprivata OneSign.  You can also use GroundControl to change the configuration for use with OneSign, instructions are included below.
OneSign Set Up

1. Log into the OneSign appliance administrator console

GroundControl Setup

1. In Admin > Check Out, change Identity Web Service to Imprivata OneSign

2. Add the hostname of your Imprivata appliance in the dialog.

3. If your organization uses a root certificate authority, upload that CA certificate to this dialog, in PEM, CER, CRT, or DER format. Otherwise leave “Disable SSL checks” selected. Save the dialog.

4. Restart any Launchpads as prompted.

To test this configuration, in the GroundControl console click the Launchpads tab, then open one of your Launchpads. In Launchpad Actions choose “Test Identity Web Service.”

About Certificates

Certificates are not required for Check Out or Password AutoFill workflows. But if your organization would like to enable SSL trust certificates, these requirements must be met:

  1. As per Apple’s trust certificate requirements, certificates must have a validity period of 825 days or fewer. If the certificate applied to OneSign has a longer validity, it will be need to be updated at the OneSign Appliance level first. Please refer to OneSign instructions on how to update certificates on the Appliance. After, that change has been made, follow instructions below to obtain root certificate for use in GroundControl.
  2. GroundControl requires a root certificate (self signed or issued by a CA authority).   See instructions below on how to easily obtain a root certificate from the appliance via a web browser. Once downloaded, upload this certificate this certificate to GroundControl.
 Imprivata Attributes

By default, GroundControl includes two built-in Imprivata attributes that can be used throughout workflows:

  • Imprivata Display Name: This attribute will be populated with the full name of the checkout user, which you can display on the wallpaper, the Locker app unlock screen, etc.
  • Imprivata Domain: This attribute will be populated with the domain name of the checkout user.

In addition, the following attribute is built in and available for your use:

  • Device User: This attribute will be populated with the Active Directory user ID of the checkout user.
Proximity Card Reader Configuration

To configure proximity card readers for compatibility with OneSign:

  1. Navigate to Admin> Check Out
  2. From the Badge Reader type options, select the configuration that matches your computer policy settings in OneSign. Today, GroundControl only supports one card readers configuration.
  3. Click Save and restart Launchpad for the change to take effect.


Next: Configure Password AutoFill