Difference between revisions of "Imprivata"

From NComputing Knowledge Base
Jump to: navigation, search
(Get going with NoTouch and Imprivata)
Line 24: Line 24:
 
#Reboot the device
 
#Reboot the device
  
== Imprivata configuration ==
+
=Authentication modalities=
 +
In most cases you do not have to configure anything on the NoTouch side regarding specific authentication modalities.
 +
 
 +
===Username/password===
 +
The Imprivata login dialog allows users to log in with their normal username and password, if this modality is enabled in the Imprivata policies.
 +
 
 +
===Prox card / badge tap===
 +
NoTouch supports RFideas prox readers as well as the Imprivata-branded readers (among them IMP-75, IMP-80, IMP-82, ...) for easy badge tap-in and tap-out. No specific configuration is necessary for RFIDeas readers on the NoTouch side. NoTouch will obey all settings made in the Imprivata VA, regarding card type/reader configuration as well as workflow. For instance, you can specify if another user is allowed to "tap over" another active user or not.
 +
 
 +
Note: The "Tapping mode" parameter on NoTouch is deprecated. Use "No setting" to pull the value from Imprivata.
 +
 
 +
NoTouch certainly supports additional PIN authentication requirements as well as card enrolling.
 +
 
 +
NoTouch includes a command-line utility rfideascmd to manipulate RFIDeas readers. It is intended for diagnostic use only, in normal operation it is not necessary - please see RFideas prox readers for more information.
 +
 
 +
===Fingerprint===
 +
NoTouch supports the Imprivata-branded DigitalPersona fingerprint readers. Other fingerprint readers based on the Upek stack may work, but it is guaranteed only for the aforementioned readers.
 +
 
 +
You can disable fingerprint support in the NoTouch parameters (even though it may be enabled in Imprivata and a reader connected, you can still disable it should the need arise).
 +
 
 +
===Smartcards===
 +
To use smartcards in an Imprivata login scenario, please:
 +
 
 +
# Switch on the Services->Smartcard->"Start PCSC service" parameter
 +
# Reboot
 +
 
 +
===Questions and answers/SSPR===
 +
Similar to username/password, when using QnA (Question and Answers) or SSPR (Self-Service Password Reset), NoTouch will obey the settings specificed in the Imprivata policies and display the required questions.
 +
 
 +
 
 +
 
 +
 
 +
 
 +
 
 +
 
 +
 
 +
 
 +
 
 +
= Imprivata configuration reference =
 +
===Basic Imprivata parameters===
 +
The Imprivata parameters are part of the Services parameter. Navigate to the Services tab and look for "Imprivata". The important parameters are:
  
The Imprivata parameters are part of the Services parameter. Navigate to the Services tab and look for "Imprivata". There you will find these parameters:
 
 
* '''Start service.''' This is the master switch to use the Imprivata functionality. To use Imprivata OneSign SSO, switch it to "on".
 
* '''Start service.''' This is the master switch to use the Imprivata functionality. To use Imprivata OneSign SSO, switch it to "on".
 
* '''Host.''' The DNS host name of the Imprivata appliance.
 
* '''Host.''' The DNS host name of the Imprivata appliance.
* '''Name of connection to launch.''' (Optional). In most cases, information on what kind of session to start will be pulled from the OneSign appliance. If you want to override that, enter the actual [[connection]] name that the Imprivata module will start upon successful authentication. Be careful - check for typos, missing or too many spaces.
+
* '''Verify certificates'''. Denotes if NoTouch should check certificates. By default this is on. If you have just set up the Imprivata VA in a lab environment without a proper SSL certificate, switch this off.
* '''Log level.''' By default this is set to "none" to indicate no logging is desired. In case you run into problems or when directed by any vendor's support engineers, switch it to "debug".
+
* '''Agent Type'''. This parameter defines how the Virtual Channel should behave. In most cases this will be set to Shared Kiosk Workstation.
* '''Verify certificates.''' Denotes if NoTouch should check certificates. By default this is on.  
+
** Off. No Virtual Channel is provided.
* '''Tapping mode.''' With this parameter you can specify what should happen if the user taps the proximity card while a session is established:
+
** Shared Kiosk Workstation. This opens the VC communication path and can be used for all sorts of VC communication including secondary authentication (such as fingerprint for electronic prescriptions)
** ''None.'' This setting denotes that nothing should happen.
+
** Fast User Switching. This setting enables the very specific #Fast User Switching (FUS) scenario (see below).
** ''Close running connection.'' This setting disconnects the user.
 
** ''Close running connection and allow user switch.'' Similar to the setting above this disconnects the user, but it allows to begin login for a different card. Use this if you want one user to be able to disconnect another one.
 
  
 
[[Image:Center-en-Imprivata-Configuration.jpg|none|600px]]
 
[[Image:Center-en-Imprivata-Configuration.jpg|none|600px]]
 +
 +
==Other Imprivata parameters==
 +
* '''Allow Imprivata desktop background'''. If that is on (default), the system's desktop background will be pulled from the Imprivata Virtual Appliance, preempting anything that is set in the NoTouch parameters.
 +
* '''Fingerprint support'''. Allow (default) or disallow the use of fingerprint devices.
 +
* '''Start login dialog minimized/iconified'''. By default, the Imprivata login dialog will be shown and it will be on top of all other Windows. Some users found they wanted to realize a scenario where they didn't want to see the Imprivata login dialog, but still have the system actively waiting for badge taps. In this case, set this parameter to "on".
 +
* '''Name of connection to launch'''. (Optional). In most cases, information on what kind of session to start will be pulled from the OneSign appliance. If you want to override that, enter the actual connection name that the Imprivata module will start upon successful authentication. Be careful - check for typos, missing or too many spaces.
 +
* '''Log level'''. By default this is set to "none" to indicate no logging is desired. In case you run into problems or when directed by any vendor's support engineers, switch it to "debug".
 +
* '''Domain Preference'''. This is used very seldomly (sometimes with VMware Horizon View). When receiving the username and domain from the Imprivata API, we may get presented multiple options, most notably a NetBIOS type domain (like WWCO) and a DNS domain (like wwco.net). This switch denotes what format should be used to log in to your VDI. VMware Horizon as of Q1/2018 only accepts NetBIOS domain format, and NoTouch is quite good at figuring this out, but in certain circumstances you may have to set this.
 +
* '''Domain Override'''. If you have a very complicated domain forest/setup, you may have a need to override the domain portion with a static value. E.g. Imprivata delivers x1.ou.wwco.net, but you know for VDI you want x.wwco.net, then use this parameter to set the domain value to be used.
 +
* '''Tapping mode'''. With this parameter you can specify what should happen if the user taps the proximity card while a session is established. This parameter
 +
**No setting. Pull the value from the Imprivata VA (default, and most reasonable).
 +
**None. This setting denotes that nothing should happen.
 +
**Close running connection. This setting disconnects the user.
 +
**Close running connection and allow user switch. Similar to the setting above this disconnects the user, but it allows to begin login for a different card. Use this if you want one user to be able to disconnect another one.
  
 
[[Category:NoTouch OS]]
 
[[Category:NoTouch OS]]

Revision as of 02:59, 25 January 2019

Imprivata OneSign Single Sign-On (SSO) is a supported login method in NoTouch Desktop. To use Imprivata, you need a working and configured Imprivata appliance. NoTouch supports - as does Imprivata - different authentication methods, among them contactless proximity cards, fingerprint and on the other hand simple password authentication. NoTouch also supports secondary authentication (e.g. for prescription of controlled substances as mandated by law in many jurisdictions). Imprivata support is available in Stratodesk NoTouch OS images on all platforms, including PC and Raspberry Pi, and requires NoTouch Center 4.2.58 or later.

Basic functionality introduction

NoTouch contains a client-side software module that consumes the Imprivata ProveID API that is provided by the appliance. The client-side software module drives proximity card readers (if any), communicates with the user, verifies credentials with the Imprivata appliance and finally starts a connection, such as Citrix or VMware View. Once connected to VDI, a "virtual channel" will be established between the Imprivata agent on the VDI side and the Stratodesk Imprivata module, facilitating secondary authentication, enrolling and other workflows (Citrix and Horizon/PCoIP only).

OS-en-Imprivata Login.jpg

The configuration in the NoTouch side is easy since you only need to set how to connect to your Imprivata appliance and some very basic settings.

Get going with NoTouch and Imprivata

Unless you are using #Fast User Switching (FUS), follow these simple steps to get going:

  1. Make sure your Imprivata appliance is configured and running
    • Check that the Imprivata appliance has "Stratodesk" enabled under Settings->ProveID
  2. Go to the Imprivata configuration parameters in NoTouch (as described in the next section) and configure at least these values:
    • Set "Start service" to "on"
    • Let "Host" point to the Imprivata appliance (Hostname only! Not a URL)
  3. In NoTouch Center, assign the IMPR license to the endpoint, if not already done: Licensing#Assigning_licenses
  4. Either get the CA root certificate of the Imprivata appliance and add it to your NoTouch environment (Certificates) or switch off certificate validation using the "Verify Certificates" parameter
    • The root certificate used to sign the SSL certificates can be downloaded from the Imprivata Admin Console. On the SSL tab of the Security page, click the link Click here to download the certificate of this CA. Download the file ssoCA.cer and then import into NoTouch as described in Certificates.
  5. You may set the Agent Type parameter to "Shared Kiosk Workstation" which will enable all VC-based functionality such as secondary authentication. Furthermore, if you do that, disable USB forwarding in the Citrix or Horizon options.
  6. Reboot the device

Authentication modalities

In most cases you do not have to configure anything on the NoTouch side regarding specific authentication modalities.

Username/password

The Imprivata login dialog allows users to log in with their normal username and password, if this modality is enabled in the Imprivata policies.

Prox card / badge tap

NoTouch supports RFideas prox readers as well as the Imprivata-branded readers (among them IMP-75, IMP-80, IMP-82, ...) for easy badge tap-in and tap-out. No specific configuration is necessary for RFIDeas readers on the NoTouch side. NoTouch will obey all settings made in the Imprivata VA, regarding card type/reader configuration as well as workflow. For instance, you can specify if another user is allowed to "tap over" another active user or not.

Note: The "Tapping mode" parameter on NoTouch is deprecated. Use "No setting" to pull the value from Imprivata.

NoTouch certainly supports additional PIN authentication requirements as well as card enrolling.

NoTouch includes a command-line utility rfideascmd to manipulate RFIDeas readers. It is intended for diagnostic use only, in normal operation it is not necessary - please see RFideas prox readers for more information.

Fingerprint

NoTouch supports the Imprivata-branded DigitalPersona fingerprint readers. Other fingerprint readers based on the Upek stack may work, but it is guaranteed only for the aforementioned readers.

You can disable fingerprint support in the NoTouch parameters (even though it may be enabled in Imprivata and a reader connected, you can still disable it should the need arise).

Smartcards

To use smartcards in an Imprivata login scenario, please:

  1. Switch on the Services->Smartcard->"Start PCSC service" parameter
  2. Reboot

Questions and answers/SSPR

Similar to username/password, when using QnA (Question and Answers) or SSPR (Self-Service Password Reset), NoTouch will obey the settings specificed in the Imprivata policies and display the required questions.






Imprivata configuration reference

Basic Imprivata parameters

The Imprivata parameters are part of the Services parameter. Navigate to the Services tab and look for "Imprivata". The important parameters are:

  • Start service. This is the master switch to use the Imprivata functionality. To use Imprivata OneSign SSO, switch it to "on".
  • Host. The DNS host name of the Imprivata appliance.
  • Verify certificates. Denotes if NoTouch should check certificates. By default this is on. If you have just set up the Imprivata VA in a lab environment without a proper SSL certificate, switch this off.
  • Agent Type. This parameter defines how the Virtual Channel should behave. In most cases this will be set to Shared Kiosk Workstation.
    • Off. No Virtual Channel is provided.
    • Shared Kiosk Workstation. This opens the VC communication path and can be used for all sorts of VC communication including secondary authentication (such as fingerprint for electronic prescriptions)
    • Fast User Switching. This setting enables the very specific #Fast User Switching (FUS) scenario (see below).
Center-en-Imprivata-Configuration.jpg

Other Imprivata parameters

  • Allow Imprivata desktop background. If that is on (default), the system's desktop background will be pulled from the Imprivata Virtual Appliance, preempting anything that is set in the NoTouch parameters.
  • Fingerprint support. Allow (default) or disallow the use of fingerprint devices.
  • Start login dialog minimized/iconified. By default, the Imprivata login dialog will be shown and it will be on top of all other Windows. Some users found they wanted to realize a scenario where they didn't want to see the Imprivata login dialog, but still have the system actively waiting for badge taps. In this case, set this parameter to "on".
  • Name of connection to launch. (Optional). In most cases, information on what kind of session to start will be pulled from the OneSign appliance. If you want to override that, enter the actual connection name that the Imprivata module will start upon successful authentication. Be careful - check for typos, missing or too many spaces.
  • Log level. By default this is set to "none" to indicate no logging is desired. In case you run into problems or when directed by any vendor's support engineers, switch it to "debug".
  • Domain Preference. This is used very seldomly (sometimes with VMware Horizon View). When receiving the username and domain from the Imprivata API, we may get presented multiple options, most notably a NetBIOS type domain (like WWCO) and a DNS domain (like wwco.net). This switch denotes what format should be used to log in to your VDI. VMware Horizon as of Q1/2018 only accepts NetBIOS domain format, and NoTouch is quite good at figuring this out, but in certain circumstances you may have to set this.
  • Domain Override. If you have a very complicated domain forest/setup, you may have a need to override the domain portion with a static value. E.g. Imprivata delivers x1.ou.wwco.net, but you know for VDI you want x.wwco.net, then use this parameter to set the domain value to be used.
  • Tapping mode. With this parameter you can specify what should happen if the user taps the proximity card while a session is established. This parameter
    • No setting. Pull the value from the Imprivata VA (default, and most reasonable).
    • None. This setting denotes that nothing should happen.
    • Close running connection. This setting disconnects the user.
    • Close running connection and allow user switch. Similar to the setting above this disconnects the user, but it allows to begin login for a different card. Use this if you want one user to be able to disconnect another one.