Difference between revisions of "Imprivata"

Revision as of 01:59, 25 January 2019

Imprivata OneSign Single Sign-On (SSO) is a supported login method in NoTouch Desktop. To use Imprivata, you need a working and configured Imprivata appliance. NoTouch supports - as does Imprivata - different authentication methods, among them contactless proximity cards, fingerprint and on the other hand simple password authentication. NoTouch also supports secondary authentication (e.g. for prescription of controlled substances as mandated by law in many jurisdictions). Imprivata support is available in Stratodesk NoTouch OS images on all platforms, including PC and Raspberry Pi, and requires NoTouch Center 4.2.58 or later.

Basic functionality introduction

NoTouch contains a client-side software module that consumes the Imprivata ProveID API that is provided by the appliance. The client-side software module drives proximity card readers (if any), communicates with the user, verifies credentials with the Imprivata appliance and finally starts a connection, such as Citrix or VMware View. Once connected to VDI, a "virtual channel" will be established between the Imprivata agent on the VDI side and the Stratodesk Imprivata module, facilitating secondary authentication, enrolling and other workflows (Citrix and Horizon/PCoIP only).

The configuration in the NoTouch side is easy since you only need to set how to connect to your Imprivata appliance and some very basic settings.

Get going with NoTouch and Imprivata

1. Make sure your Imprivata appliance is configured and running
2. Create and configure a connection in NoTouch. Give it a descriptive name (you will need to enter that name into the Imprivata parameters). Make sure the connection works, in a first step test without Imprivata.
3. Go to the Imprivata configuration parameters in NoTouch (as described in the next section) and configure at least these three values:
   • Set "Start service" to "on"
   • Let "Host" point to the Imprivata appliance (Hostname only! Not a URL)
   • You may also want to switch off certificate validation, at least in lab environments
4. Get the CA root certificate of the Imprivata appliance and add it to your NoTouch environment as described here: Certificates
   • The root certificate used to sign the SSL certificates can be downloaded from the Imprivata Admin Console. On the SSL tab of the Security page, click the link Click here to download the certificate of this CA. Download the file ssoCA.cer.

Imprivata configuration

The Imprivata parameters are part of the Services parameter. Navigate to the Services tab and look for "Imprivata". There you will find these parameters:

• Start service. This is the master switch to use the Imprivata functionality. To use Imprivata OneSign SSO, switch it to "on".
• Host. The DNS host name of the Imprivata appliance.
• Name of connection to launch. (Optional). In most cases, information on what kind of session to start will be pulled from the OneSign appliance. If you want to override that, enter the actual connection name that the Imprivata module will start upon successful authentication. Be careful - check for typos, missing or too many spaces.
• Log level. By default this is set to "none" to indicate no logging is desired. In case you run into problems or when directed by any vendor's support engineers, switch it to "debug".
• Verify certificates. Denotes if NoTouch should check certificates. By default this is on.
• Tapping mode. With this parameter you can specify what should happen if the user taps the proximity card while a session is established:
  • None. This setting denotes that nothing should happen.
  • Close running connection. This setting disconnects the user.
  • Close running connection and allow user switch. Similar to the setting above this disconnects the user, but it allows to begin login for a different card. Use this if you want one user to be able to disconnect another one.