Integrate Imprivata OneSign

Created: Modified: Checkout

GroundControl’s Check Out feature requires customers to connect to a web service to handle the translation of badge IDs to user IDs. This article describes how to integrate with Imprivata OneSign for identity lookup. If you don’t have Imprivata OneSign, you may use a custom identity lookup service.


Take note of the following prerequisites:

Imprivata OneSign Configuration
Step 1: Configure API Access to Imprivata OneSign

Configure API access to Imprivata OneSign using the Imprivata Admin Console.

To configure the API access:

    1. Log into the Imprivata Admin Console.
    2. In the Gear menu, select API Access.
    3. Under ProveID – API access and security, select Allow full access via ProveID Web and ProveID Embedded.
    4. Select the API access needed for the OS of your devices:
      1. For GroundControl with iOS devices, select the Imprivata Mobile for iOS checkbox.
      2. For GroundControl with Android devices, select the Imprivata Mobile for iOS and the Imprivata Mobile for Android checkboxes.
    5. Click Save.
Step 2: Configure the OneSign Computer Policy for Proximity Card

GroundControl organizations with Check Out using Imprivata OneSign as the Identity provider create a host (computer) in Imprivata OneSign for every Launchpad registered. That computer in Imprivata OneSign gets a computer policy and it must have a proximity card enabled to be able to do a checkout with a badge tap.

  1. In the Imprivata Admin Console, go to Computers > Computer policies and select the computer policy your Launchpad is using.
  2. In Override and Restrict tab > Desktop Access Authentication Restrictions section, make sure that the option for Proximity Card is selected.
GroundControl Configuration

In the GroundControl console, configure the integration with Imprivata OneSign:

1. In Admin > Check Out, select Imprivata OneSign from the Identity Provider dropdown list and click Configure.

2. In the dialog, add the hostname of your Imprivata appliance.

3. If your organization uses a root certificate authority, upload that CA certificate to this dialog, in PEM, CER, CRT, or DER format. Otherwise leave Disable SSL checks selected. Click Save.

4. Restart any Launchpads as prompted.

5. To test this configuration, in the GroundControl console, click the Launchpads tab, then open one of your Launchpads. In Launchpad Actions, select Test Identity Web Service.

About Certificates

Certificates are not required for Check Out or Password AutoFill workflows. But if your organization would like to enable SSL trust certificates, these requirements must be met:

  1. Per Apple’s trust certificate requirements, certificates must have a validity period of 825 days or fewer. If the certificate applied to Imprivata OneSign has a longer validity, it will be need to be updated at the Imprivata appliance level first. See Imprivata OneSign’s documentation on how to update certificates on the Imprivata appliance. After that change has been made, follow the instructions below to obtain root certificate for use in GroundControl.
  2. GroundControl requires a root certificate (self signed or issued by a CA authority). You may use any web browser to download the root certificate from the appliance via a web browser. Make sure you are downloading the Root certificate, not the certificate installed on the Imprivata appliance. Once downloaded, upload this certificate this certificate to GroundControl.
Allow New Badge and Imprivata PIN Enrollments to OneSign

GroundControl allows new badge enrollments and Imprivata PIN enrollments during checkout. This is useful when users have a new or replacement badge that is not already enrolled in Imprivata OneSign.

Applies to iOS and Android devices. Requires Imprivata Locker iOS 3.12 or Locker Android 1.3 or later.

  1. In Admin > Check Out > Available Authentication Methods section, select Proximity Badges.
  2. To allow new enrollments to OneSign from the Locker app, switch the Allow users to enroll new badges to OneSign from Locker app setting to ON.
    NOTE: This setting is only available when Imprivata OneSign is set as the Identity Provider (IdP), and is not supported for other custom web services. You do not need to enable checkout via network username and password for badge enrollment to work.

  3. To enable a second factor of authentication, switch the Password AutoFill setting to ON and select the authentication method:
    1. Imprivata PIN with numeric keyboard.
    2. Imprivata PIN with alphanumeric keyboard.
    3. Domain password.
  4. When prompted, restart the Launchpads.
Checking Out with Username and Password

GroundControl also allows checking out a device using a username and password. This is useful when users forget to bring their badges to work.

BEST PRACTICE: Imprivata recommends setting Network Username and Password as an available authentication method.

  1. In Admin > Check Out > Available Authentication Methods, select the Network Username and Password option.
  2. Some organizations use special terms for username, such as “Network ID”, “Net ID”, or similar. You may customize the terms you use by editing the Username Label and Password Label fields.

When enabled, the Locker app lock screen adds a button to unlock with your network password.

This button allows users to type their network username and password to unlock the device.

For Imprivata OneSign enterprises configured with multiple domains, the user selects the appropriate domain from the list above the username input.

On successful checkout, GroundControl can automate a Workflow. The automation must use the trigger Unlocked via Network Username and Password, and the Workflow must use the Over the Air Workflow model.

Imprivata Attributes

By default, GroundControl includes three built-in Imprivata attributes that can be used throughout Workflows:

  • Device User: This attribute is populated with the Active Directory user ID of the checkout user.
  • Imprivata Display Name: This attribute is populated with the full name of the checkout user, which you can display on the wallpaper, the Locker app unlock screen, etc.
  • Imprivata Domain: This attribute is populated with the domain name of the checkout user.
  • Imprivata Email: This attribute is populated with the user’s email address.
    In GroundControl 6.4 and later, by default, the Imprivata Locker app (iOS) retrieves the user’s email address from Imprivata OneSign to authenticate to Microsoft apps and Password Autofill populates the password.


Next: Configure Password AutoFill