Configure Locker SSO to OpenID Connect-enabled Apps

Applies to iOS devices only.

Imprivata Mobile Access Management adds authentication to OpenID Connect (OIDC) apps that are configured for OIDC with Imprivata as the Identity Provider (IdP). Authentication is sharing the MAM user session with a third party app so that a user does not need to enter credentials for authentication to the third party app.

The app session is secured with the user's personal device passcode.

NOTE:

Locker SSO is not mutually exclusive with Password Autofill. You can still use Password Autofill on other applications, however, you may want to hide the Password Autofill prompt by configuring a Locker Custom Option.

Prerequisites

NOTE:

Supported in MAM 7.3 and later.

Take note of the following prerequisites:

  • Imprivata Locker app for iOS - 4.3 or later

  • Password Autofill and SSO setting is enabled in MAM console (Admin > Check Out > Password Autofill and SSO).

  • Integration with Imprivata Enterprise Access Management.

    The following EAM dependencies for OIDC integration must be completed:

    • Imprivata appliances are running a maintained release of EAM. For more information, see the EAM Supported Components.

    • Imprivata licensed for Single Sign On.

    • OpenID Connect applications are added to your Imprivata enterprise.

    • OpenID Connect applications are deployed to selected set of users.

    • Imprivata users are assigned to a user policy enabled for Single Sign On.

    • SSO Extension profile is deployed from your MDM.

Network Requirements

Ensure that your firewall policy is configured to allow communication for Locker SSO.

Add the following hosts to your firewall allowlist:

*.cloud.imprivata.com

Validate OpenID Connect integration settings in the Imprivata Admin Console:

Setting Required / Optional Imprivata Admin Console location
Appliance is running a maintained release of Imprivata Enterprise Access Management Required Help menu
Imprivata Single Sign On is licensed Required Gear menu > License
Imprivata enterprise is provisioned and connected to the cloud Required Gear menu > Cloud connection
OpenID Connect applications are added and enabled in Imprivata Admin Console Required Applications > Single sign-on application profiles
OpenID Connect applications are deployed to selected set of users Required Applications > Single sign-on application profiles
Imprivata users are assigned to user policy enabled for Single Sign On Required Users > User policies

Imprivata Services will enter the Enterprise ID and one-time cloud provisioning code required to establish trust between your Imprivata enterprise and the Imprivata cloud:

  1. In the Imprivata Admin Console, click the gear icon > Cloud connection.

  2. Services will enter your Enterprise ID and cloud provisioning code. (The cloud provisioning code expires 5 minutes after it's generated. Generate a new code if 5 minutes has elapsed.)

  3. Click Establish trust.

    IMPORTANT:

    The cloud connection must be established by Imprivata Services.

Imprivata SSO (IdP) and your OpenID Connect application, the Relying Party (RP), need metadata from each other.

Open both consoles at the same time and import this metadata as follows:

  1. In your RP's administrator console, copy the RP client credentials and Redirect URIs.

  2. In the Imprivata Admin Console, go to the gear iconWeb App Login Configuration.

    Enter the RP client credentials and Redirect URIs.

  3. Click View and copy Imprivata (IdP) OpenID Connect metadata.

    • Provide the Client ID and Client Secret values on the RP's admin console.

    • Provide the endpoint URL metadata to the RP. This can be entered manually, or by providing the IdP metadata URL.

  4. Save your work.

In the Imprivata Admin Console, only the superadmin role can configure SSO application profiles:

  1. In the Imprivata Admin Console, go to Applications > Single sign-on application profiles.

    All Single sign-on application profiles, including Mobile app profiles and OpenID Connect application profiles, are managed from this page.

  2. Click Add App Profile Application using OpenID Connect. The Add application using OpenID Connect page opens.

  3. In the Application profile name box, type the application profile name. This name is only visible to administrators.

  4. In the Application user-friendly name box, type a user-friendly name for the application. This is the application name your users will see when they log in.

  5. In the Redirect URIs box, type the Redirect URIs from the RP. If you don't have them yet, leave this window open and go to the RP's admin console in another window.

  6. Optional: Claims Review the default claims, and configure any custom claims required for your integration. For Epic Rover, leave the defaults in Claims.

  7. Click Generate Client credentials to provide to the RP.

    A Client ID and Client secret are created. Provide these to the RP.

  8. Click View and copy Imprivata (IdP) OpenID Connect metadata.

    1. Copy the Issuer URL to provide to the RP.

  9. Click Save.

NOTE:

Beginning with MAM 7.3 and Locker iOS 4.3, using Locker SSO is the preferred method for authenticating to Epic Rover.

Contact your Epic TS for assistance with configuring your Epic environment with OpenID Connect.

Also see your Epic documentation for Setting up OIDC login for Epic Mobile Apps.

  1. In the Imprivata Admin Console, go to Applications > Single sign-on application profiles.

    All Single sign-on application profiles, including Mobile app profiles and OpenID Connect application profiles, are managed from this page.

  2. Click Add App Profile Application using OpenID Connect. The Add application using OpenID Connect page opens.

  3. In the Application profile name box, type Epic Rover as the application profile name. This name is only visible to administrators.

  4. In the Application user-friendly name box, type Rover as the user-friendly name for the application. This is the application name your users will see when they log in.

  5. In the Redirect URIs box, type the Redirect URIs for Epic.

    Locker supports both native app/custom scheme redirect URIs (com.epic.rover.oidc://callback), as well as universal links(https://mobile.epic.com/rover/OIDC/redirect/).

  6. Optional: Claims For Epic Rover, leave the defaults in Claims.

  7. Click Generate Client credentials to provide to the RP.

    A Client ID and Client secret are created. Provide the Client ID and Client secret to your organization's Epic resource or TS who will need to configure Epic Rover to use OIDC.

  8. Click View and copy Imprivata (IdP) OpenID Connect metadata.

    1. Copy the Issuer URL. Provide the Issuer URL value to your Epic TS. They will generate a new econfig URL or modify the existing one.

  9. Click Save.

In your MDM, create and deploy an SSO Extension that enables single sign on.

  1. In your MDM's admin console, create an SSO extension profile with the following information:

    1. Give the profile a unique, identifiable name, such as 'Imprivata Locker SSO Extension'.

    1. Extension identifier: com.imprivata.b2b.locker.ssoextension

    2. Type: Redirect

    3. URLs: https://oidc.idp.cloud.imprivata.com

  2. Assign the SSO Extension to the devices.

  1. In Devices > iOS/iPadOS |Configuration > Manage devices > Configuration, create a new policy with the name 'Imprivata Locker SSO Extension'.

    1. Select Templates from the Profile type list.

    2. Select Device features and click Create.

  2. Expand the Authentication section of the new policy.

  3. For Extension identifier, type com.imprivata.b2b.locker.ssoextension

  4. For Type, select Redirect.

  5. For URLs, type https://oidc.idp.cloud.imprivata.com

  6. Save the SSO Extension and assign it to your devices.

  1. In Resources > Profile Details > SSO Extension, configure the SSO extension for Imprivata Locker.

  2. On the SSO Extension tab, configure the following information:

    1. For Extension identifier, type com.imprivata.b2b.locker.ssoextension

    2. For Type, select Redirect.

    3. For URLs, type https://oidc.idp.cloud.imprivata.com

  1. Save the SSO Extension and assign it to your devices.

Configure several settings in MAM to support the integration.

  1. In the MAM console, navigate to Admin > Check Out.

  2. Switch the Password Autofill and SSO setting to ON.

  3. Switch the Require a second factor to unlock the device setting to ON.

    This setting controls whether users must provide a second factor in the Locker app during checkout to unlock the device.

    NOTE:

    This setting is enabled and not visible to disable for organizations created as of MAM 7.0 (June 2025).

Face Authentication for OIDC-enabled Apps

Beginning in 7.3, as a new standard workflow, you can eliminate the device passcode and allow users to use face authentication for OIDC-enabled apps, like Epic Rover.

  • At device checkout, users are not prompted for a device level passcode. Instead, MAM secures the apps with Face authentication and short inactivity timeouts.

  • Supports any apps that use OIDC.

  • Gives high assurance that the user of the app matches the user who checked out the device.

Requirements

Face authentication for OIDC-enable apps requires the following:

  • Requires an Imprivata Advanced Passwordless Access (APA) license.

Considerations

Application-level timeouts that require the user to re-authenticate are controlled by the individual apps themselves.

There is no way to configure this in either EAM or MAM, and is not affected by EAM user policy grace periods for multi-factor authentication (MFA).