Integrate Imprivata OneSign

Created: Modified: Checkout

Our Check Out feature requires customers to connect to a web service to handle the translation of badge IDs to user IDs. This document describes how to integrate with Imprivata OneSign for identity lookup. If you don’t have Imprivata OneSign, you may use a custom identity lookup service, described in a separate article.

  • You must use Launchpad 4.9.3 or greater for this functionality. Password Autofill is supported in GroundControl 5.0+.
  • You’ll need to have have followed the Check Out setup instructions in this guide, and that Check Out is working with our built-in GroundControl User Service.
  • Your proximity badge readers need to be configured to preserve parity bits, which is not the factory default. The OneSign Agent performs this operation automatically, so you can use any proximity badge reader that was previously used with Imprivata OneSign.  You can also use GroundControl to change the configuration for use with OneSign, instructions are included below.
OneSign Set Up

1. Log into the OneSign appliance administrator console

GroundControl Setup

1. In Admin > Check Out, change Identity Web Service to Imprivata OneSign


2. Add the hostname of your Imprivata appliance in the dialog.

3. If your organization uses a root certificate authority, upload that CA certificate to this dialog, in PEM, CER, CRT, or DER format. Otherwise leave “Disable SSL checks” selected. Save the dialog.

4. Restart any Launchpads as prompted.

To test this configuration, in the GroundControl console click the Launchpads tab, then open one of your Launchpads. In Launchpad Actions choose “Test Identity Web Service.”

Imprivata Attributes Setup

After you’ve completed either option above, the next steps are:

5. Create two new attributes in Admin > Attributes > Device Attributes:

  • Imprivata Display Name: This attribute will be populated with the full name of the checkout user, which you can display on the wallpaper, the Locker app unlock screen, etc.
  • Imprivata Domain: This attribute will be populated with the domain name of the checkout user.

In addition, the following attribute is built in and available for your use:

  • Device User: This attribute will be populated with the Active Directory user ID of the checkout user.

6. In your “Check In” workflow, add the Set Attribute action to clear the two new attributes.


You may now test the system using one of your ID badges.

Proximity Card Reader Configuration

To configure proximity card readers for compatibility with OneSign:

  1. Navigate to Admin> Check Out
  2. From the Badge Reader type options, select the configuration that matches your computer policy settings in OneSign. Today, GroundControl only supports one card readers configuration.
  3. Click Save and restart Launchpad for the change to take effect.


Next: Configure Password AutoFill