Healthcare Seamless SSO Summary

What is it?

Healthcare Seamless SSO extends Microsoft Azure Active Directory Seamless SSO to shared clinical workstations. Using Imprivata OneSign desktop tap-and-go capabilities, Imprivata users can single sign-on into enterprise web-based Microsoft Office 365 and Microsoft Azure AD Marketplace applications.

Imprivata OneSign Integrated RunAs is used to launch Internet Explorer 11 and Google Chrome browsers under the context of the Imprivata OneSign user accessing Office 365.

Why is it useful to healthcare customers?

With Healthcare Seamless SSO, Imprivata OneSign and Microsoft are able to bridge the on-premises SSO solution that Imprivata OneSign provides to the Office 365 cloud SSO solution using Azure Active Directory with the use of modern authentication standards. Healthcare Seamless SSO increases clinical productivity, collaboration, and return on investment by providing a nearly "passwordless" experience for clinicians who often need to access Office 365 online collaboration tools without needing to enter a username and password.

How is the environment configured?

In the environment:

  • Microsoft Azure Active Directory Seamless SSO is configured and running normally, independent of Imprivata OneSign.

    For additional information on deploying Azure Active Directory Seamless SSO, see the Azure Active Directory documentation.

  • The Imprivata shared kiosk workstation agent is deployed to the shared clinical workstations.

  • The Imprivata OneSign Integrated RunAs custom shortcut for Office 365 is available on the desktop.

NOTE: If you require assistance configuring Microsoft Azure Active Directory for Seamless SSO, contact your Microsoft account representative.

The following table summarizes how Imprivata OneSign and the Microsoft technologies in the environment are configured:

Technology Configuration
Office 365

  • Azure Active Directory and/or ADFS is functioning as the Identity Provider.
Azure Active Directory

  • Azure Active Directory is implemented in a hybrid model: "Hybrid Azure AD join".

    • Managed Domains must be configured to use Seamless SSO.

    • Federated Domains must be configured to use ADFS.

    For more information, see "Common scenarios and recommendations" in the Microsoft documentation.

  • Allow full control permission for C:\Users\<Generic User>

  • Add any work/school account

  •  

  • Azure Active Directory must be enabled for Seamless SSO.

    For more information, see the Microsoft documentation.
Delivery environment

  • Validated on Windows 10 local and remote desktops.

  • The domain in which the Imprivata OneSign users are members must have a trust relationship with the endpoints domain.
Imprivata OneSign

  • An Imprivata OneSign Single Sign–On license is required.

  • Imprivata appliance 6.2 or later.

  • Imprivata agent 6.2 or later.
Imprivata OneSign Integrated RunAs custom shortcut

  • Internet Explorer  11

    Target path example:

    "C:\Program Files (x86)\Imprivata\OneSign Agent\ISXRunAs.exe" "C:\Program Files (x86)\Internet Explorer\iexplore.exe" "https://outlook.office.com"

  • Google Chrome with Windows 10 Account Extension

    Target path example:

    "C:\Program Files (x86)\Imprivata\OneSign Agent\ISXRunAs.exe" /profile "C:\Program Files (x86)\Google\Chrome\Application\Chrome.exe" "https://outlook.office.com"

  • Web Client Outlook with Microsoft Edge Chromium

    Target path example:

    "C:\Program Files (x86)\Imprivata\OneSign Agent\ISXRunAs.exe" /profile "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" "https://outlook.com/owa/isxrunas.com"

Clinical workflow

The following describes an example clinical workflow.

A nurse taps their proximity card to authenticate to a shared workstation that is secured by Imprivata OneSign.

  • The Imprivata Integrated RunAs custom shortcut to Office 365 Outlook is on the desktop.

  • The nurse opens the shortcuts to SSO into Outlook.

When the nurse is finished, they tap their proximity card to secure the workstation. All the applications that were in use by the nurse remain running, but are now secured behind the lock screen.

A physician taps their proximity card to authenticate to the shared workstation.

  • All of the nurse’s applications that were launched using Imprivata Integrated RunAs are automatically closed.

  • The physician opens the custom shortcut to access Office 365 Outlook.

When the physician is finished, they tap their proximity card to secure the workstation. All the applications that were in use by the physician remain running, but are now secured behind the lock screen.