Create Imprivata OneSign Profiles

Mobile apps require a profile to feed usernames and passwords from Imprivata OneSign. This is similar to all other apps in the Imprivata OneSign system. Imprivata OneSign’s method for creating profiles with the Imprivata OneSign Application Profile Generator (APG) does not work for mobile apps, therefore a new method is required in order to achieve the same results.

Profiles are simple XML documents.

Step 1: Edit the Application Profile

Edit the application profile as needed for the apps.

<SSO>
    <global verCreate="6.0" verLastMod="6.0"/>
        <app nm="APP_DOMAIN_HERE" desc="APP_NAME_HERE" profileType="2" appType="0">
            <env type="200" nm="iOS">
                <scn nm="" auto="0" dgs="1">
                    <ctl var="USR"/>
                    <ctl var="PWD"/>
                </scn>
            </env>
        </app>
    <containers/>
</SSO>

<SSO>
    <global verCreate="6.0" verLastMod="6.0"/>
        <app nm="com.epic.rover" desc="Epic Rover" profileType="2" appType="0">
            <env type="100" nm="Android">
                <scn nm="" auto="0" dgs="1">
                    <ctl nm="field_userID" var="USR" cls=""/>
		    <ctl nm="field_password" var="PWD" cls=""/>
                </scn>
            </env>
        </app>
    <containers/>
</SSO>

Edit the following areas of the profile:

• app nm — enter the application’s domain here
  • APP_DOMAIN_HERE is a hostname, associated with apps. Some apps do not provide a domain. If an app does not provide a domain, this should have the same name as the APP_NAME_HERE field.
• desc— enter the name of the app here.
  • APP_NAME_HERE is a human-readable string to describe the app. recommends using something short, like “Rover” or “Epic Rover” here.
• env type=”200″ nm=”iOS” — nm= indicates the device platform. Valid values are “iOS” or “Android”.

Leave the rest of the parameters the same.

These credentials are used in two different ways by Imprivata Locker, depending on whether the app you are logging into provides a domain to Imprivata Locker or not.

Apps with domains

If the app is built to provide an App Domain, the credential appears in the QuickType bar above the keyboard, for 1-tap AutoFill.

• Websites using HTTPS always provide a domain
• Apps built with an Associated Domain provide a domain

Apps without domains

If the app does not provide an App Domain, the credential is still available within a list of credentials using 2-tap AutoFill. Users must first tap the word “Passwords” in the QuickType bar to reach the credentials.

Discovering the App Domain

NOTE: This section only applies to iOS devices. The AutoFill Discovery tool is only available for iOS.

You can find whether an app provides a domain or not, and what the domain is, using Imprivata’s tool AutoFill Discovery. To use AutoFill Discovery:

1. Download and install the app from the app store: https://apps.apple.com/us/app/autofill-discovery/id1565246982.
2. Launch the application.
3. Enable Imprivata as the AutoFill provider. On the device:
   1. Go to Settings > Passwords > AutoFill Passwords.
   2. Allow Filling from AutoFill Discovery.
   3. Disallow Filling from Keychain and all other applications.
   4. Return to AutoFill Discovery app.
   5. You are now ready to test a third party app for Password AutoFill support.
4. Launch an app you would like to test.
5. Within that app, navigate to a credential entry screen.
6. After the keyboard is shown, select Passwords in the QuickType Bar above the keyboard.
7. Review your results, noting the associated domain if available.

Example: Epic Rover

Epic Rover does not have an associate domain, so the iOS profile is simple:

<SSO>
    <global verCreate="6.0" verLastMod="6.0"/>
        <app nm="Epic Rover" desc="Epic Rover" profileType="2" appType="0">
            <env type="200" nm="iOS">
                <scn nm="" auto="0" dgs="1">
                    <ctl var="USR"/>
                    <ctl var="PWD"/>
                </scn>
            </env>
        </app>
    <containers/>
</SSO>

Step 2: Upload the Profile to the Imprivata Appliance

After you create the profile, upload it to the Imprivata appliance:

1. Launch the Imprivata Admin Console. and navigate to Applications > Single sign-on application profiles.
2. Click Add App Profile> Import from file…. > Choose file.
3. Upload the .xml file containing your application profile.

Step 3: Deploy the Application Profile and Share Credentials

After you upload the profile to the Imprivata appliance, deploy it to your end users and configure it to know which credentials to use for that application.
To deploy application profiles and configure credential sharing, the behavior is the same as all other Imprivata OneSign profile types.

To deploy an app profile:

1. In the Imprivata Admin Console, select the app profile, and click Deploy.
2. Go to the Deployment section and select Deploy This Application?.
3. (Optional) To deploy the application to a subset of users, deselect Deploy to All Users and Groups?, and specify the membership.
4. (Optional) If the app is sharing credentials, go to the Credentials section, select This application shares credentials?:
   1. To use the domain credentials, select with the domain only, and select the required domain username format.
5. Click Save.

For additional information, see the Imprivata OneSign online help, available from the Imprivata Support and Learning Center:

• Credential Sharing