Integrate Imprivata OneSign

Created: Modified: Checkout

Our Check Out feature requires customers to connect to a web service to handle the translation of badge IDs to user IDs. This document describes how to integrate with Imprivata OneSign for identity lookup. If you don’t have Imprivata OneSign, you may use a custom identity lookup service, described in a separate article.

Imprivata OneSign Configuration

1. Log into the Imprivata Admin Console.

GroundControl Setup

1. In Admin > Check Out, change Identity Web Service to Imprivata OneSign

2. Add the hostname of your Imprivata appliance in the dialog.

3. If your organization uses a root certificate authority, upload that CA certificate to this dialog, in PEM, CER, CRT, or DER format. Otherwise leave Disable SSL checks selected. Save the dialog.

4. Restart any Launchpads as prompted.

To test this configuration, in the GroundControl console click the Launchpads tab, then open one of your Launchpads. In Launchpad Actions, select Test Identity Web Service.

About Certificates

Certificates are not required for Check Out or Password AutoFill workflows. But if your organization would like to enable SSL trust certificates, these requirements must be met:

  1. Per Apple’s trust certificate requirements, certificates must have a validity period of 825 days or fewer. If the certificate applied to Imprivata OneSign has a longer validity, it will be need to be updated at the Imprivata appliance level first. Refer to Imprivata OneSign instructions on how to update certificates on the Imprivata appliance. After that change has been made, follow instructions below to obtain root certificate for use in GroundControl.
  2. GroundControl requires a root certificate (self signed or issued by a CA authority). You may use any web browser to download the root certificate from the appliance via a web browser. Make sure you are downloading the ROOT certificate, not the certificate installed on the Imprivata appliance. Once downloaded, upload this certificate this certificate to GroundControl.
Checking Out with Username and Password

GroundControl also allows checking out using a username and password. This is useful when users forget to bring their badges to work.

In Admin > Check Out > Available Authentication Methods, select the Network Username and Password option.

Some organizations use special terms for username, such as “Network ID” “Net ID” or similar. You may customize the terms you use on this screen.

When enabled, the Locker for iOS app lock screen adds a button to unlock with your network password.

This button allows users to type their network username and password to unlock the device.

If your Imprivata OneSign server is configured with multiple domains, you may select the correct domain above the username input.

On successful checkout, GroundControl can Automate a workflow. The automation must use the trigger “Unlocked via Network Username and Password,” and the workflow use the workflow model “Over the Air.”

Imprivata Attributes

By default, GroundControl includes three built-in Imprivata attributes that can be used throughout workflows:

  • Device User: This attribute will be populated with the Active Directory user ID of the checkout user.
  • Imprivata Display Name: This attribute will be populated with the full name of the checkout user, which you can display on the wallpaper, the Locker app unlock screen, etc.
  • Imprivata Domain: This attribute will be populated with the domain name of the checkout user.


Next: Configure Password AutoFill