Microsoft and Imprivata OneSign SSO integration

Published May 02 2019 12:43 PM 14.4K Views
Microsoft

The Shared Clinical Workstation (SCW) is the primary computing endpoint used by “frontline” healthcare workers to access digitized clinical processes and information. These workstations are often mounted on walls and other spaces through a patient care area, on rolling carts or in dedicated consultation rooms. Members of the clinical team use these workstations to capture and review patient information.


While the SCW is implemented in a variety of configurations, a common deployment model uses a concept called “generic autologin” to reduce time/effort required to access clinical applications. While reducing non-productive time related to technology overhead (login, user profiles, OS navigation, etc.), it introduces two major security/privacy risks:

  1. The SCW is sitting open where anyone, authorized or not, can walk up and use it
  2. Activities on the SCW operating system are not traceable to a specific user

Imprivata OneSign®, the leading healthcare enterprise single sign-on and virtual desktop access solution, reduces those risks by protecting those “generic autologin” systems. In addition, the OneSign® solution gives providers convenient and secure access to protected health information across all native workflows for all major Clinical Information Systems (EMR, CPOE, LIS, RIS, etc.).


More than ever, interdisciplinary teams deliver care, rather than autonomously by individuals. This is causing an even greater need to communicate and collaborate as a team. This, in turn, is creating demand for using any computing endpoint, especially the Shared Clinical Workstation, as a collaboration endpoint. While the combination of “generic autologin” and OneSign® has elegantly and securely solved for clinical applications, cloud applications, like Microsoft Office 365 collaboration and communication, have not functioned properly in this configuration. This limitation has historically blocked the Shared Clinical Workstation’s use as a communication and collaboration tool.


In a recent announcement, Imprivata laid out new integrations between OneSign® and Microsoft 365 (Windows 10, Enterprise Mobility + Security, and Office 365). These new integrations offer a solution for delivering both clinical applications and communication/collaboration tools to Shared Clinical Workstations. This solution is a result of a new partnership between Microsoft and Imprivata. The goal of the partnership is to deliver an architecture and capabilities for Modern Shared Clinical Workstations.

 

Solution Overview
The solution to delivering both traditional and cloud applications to Shared Clinical Workstations essentially enables Integrated Windows Authentication for Azure AD protected applications by leveraging recent updates to the Microsoft and Imprivata platforms. This allows a single authentication by Imprivata OneSign (a badge tap, for example) to provide access to all the healthcare applications that Imprivata supports today and to Microsoft first-party cloud applications and to the thousands of SaaS applications available in Azure AD catalog.


Beginning with Imprivata OneSign 6.2, the ISXRunAs command line utility (ISXRunAs.exe) is installed with the Imprivata agent. This utility allows an authenticated user to launch and run an IWA enabled application under their user profile, instead of the local (generic) Windows user on the shared workstation. This enables access to network resources, such as mapped drives and network printers, from within the application. When paired with the recently available Seamless SSO configuration of Microsoft Azure Active Directory and hybrid Azure AD joined PCs, the ISXRunAs also provides access to Azure AD-integrated applications such as O365 and Azure AD connected 3rd party SaaS applications.

Requirements

  • Imprivata OneSign Appliance 3rd Generation running 6.2 or later
  • AADConnect with PWHash and Seamless SSO or Pass-through Authentication configured
  • Windows 10 (tested on 1809 but all versions should work)
  • Hybrid Azure AD Joined PC
  • Imprivata Agent downloaded to PC from the virtual appliance
  • User must be a part of the AD domain

Solution Detail
Once the environment is configured with the elements above the system will be ready for the configuration of the ISXRunAs.exe shortcut. The shortcut can be manually configured on an individual endpoint or to a targeted group via Group Policy Object (GPO). These instructions can be found in the Imprivata document Configure Integrated RunAs.
To configure a shortcut on a single endpoint follow the instructions below:

  • Go to the
    • 32–bit — C:\Program Files\Imprivata\OneSign Agent
    • 64–bit — C:\Program Files (x86)\Imprivata\OneSign Agent
  • Right–click ISXRunAs.exe, and select Send to > Desktop (create shortcut)
  • Go to the desktop, and right–click ISXRunAs - Shortcut
  • Update the Target field to include the addi􀆟onal ISXRunAs usage parameters.
  • Click OK

Examples:
Outlook on the Web shortcut Target:
"C:\Program Files (x86)\Imprivata\OneSign Agent\ISXRunAs.exe" "C:\Program Files (x86)\Internet Explorer\iexplore.exe" "https://outlook.office.com"
Teams full client shortcut Target (web app recommended, but full client also works):
"C:\Program Files (x86)\Imprivata\OneSign Agent\ISXRunAs.exe" /profile "C:\Users\administrator.MSPMTC\AppData\Local\Microsoft\Teams\update.exe" --processStart "teams.exe"


The end user experience would be to use the provided shortcuts on the desktop. This is generally how healthcare applications are provided via a technology such as Citrix, surfaced to clinical workers as shortcuts to published applications. These shortcuts for productivity and 3rd party SaaS applications would just be additional apps on the clinical worker desktop creating no change to the current application launch experience. These applications can also be configured for auto-launch upon badge tap through the OneSign Agent.
See Also the detailed breakdown of the solution along with an excellent demo video produced by our MTC and TSP teams.

1 Comment
%3CLINGO-SUB%20id%3D%22lingo-sub-518543%22%20slang%3D%22en-US%22%3EMicrosoft%20and%20Imprivata%20OneSign%20SSO%20integration%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-518543%22%20slang%3D%22en-US%22%3E%3CP%3EThe%20Shared%20Clinical%20Workstation%20(SCW)%20is%20the%20primary%20computing%20endpoint%20used%20by%20%E2%80%9Cfrontline%E2%80%9D%20healthcare%20workers%20to%20access%20digitized%20clinical%20processes%20and%20information.%20These%20workstations%20are%20often%20mounted%20on%20walls%20and%20other%20spaces%20through%20a%20patient%20care%20area%2C%20on%20rolling%20carts%20or%20in%20dedicated%20consultation%20rooms.%20Members%20of%20the%20clinical%20team%20use%20these%20workstations%20to%20capture%20and%20review%20patient%20information.%3C%2FP%3E%0A%3CP%3E%3CBR%20%2F%3EWhile%20the%20SCW%20is%20implemented%20in%20a%20variety%20of%20configurations%2C%20a%20common%20deployment%20model%20uses%20a%20concept%20called%20%E2%80%9Cgeneric%20autologin%E2%80%9D%20to%20reduce%20time%2Feffort%20required%20to%20access%20clinical%20applications.%20While%20reducing%20non-productive%20time%20related%20to%20technology%20overhead%20(login%2C%20user%20profiles%2C%20OS%20navigation%2C%20etc.)%2C%20it%20introduces%20two%20major%20security%2Fprivacy%20risks%3A%3C%2FP%3E%0A%3COL%3E%0A%3CLI%3EThe%20SCW%20is%20sitting%20open%20where%20anyone%2C%20authorized%20or%20not%2C%20can%20walk%20up%20and%20use%20it%3C%2FLI%3E%0A%3CLI%3EActivities%20on%20the%20SCW%20operating%20system%20are%20not%20traceable%20to%20a%20specific%20user%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3EImprivata%20OneSign%C2%AE%2C%20the%20leading%20healthcare%20enterprise%20single%20sign-on%20and%20virtual%20desktop%20access%20solution%2C%20reduces%20those%20risks%20by%20protecting%20those%20%E2%80%9Cgeneric%20autologin%E2%80%9D%20systems.%20In%20addition%2C%20the%20OneSign%C2%AE%20solution%20gives%20providers%20convenient%20and%20secure%20access%20to%20protected%20health%20information%20across%20all%20native%20workflows%20for%20all%20major%20Clinical%20Information%20Systems%20(EMR%2C%20CPOE%2C%20LIS%2C%20RIS%2C%20etc.).%3C%2FP%3E%0A%3CP%3E%3CBR%20%2F%3EMore%20than%20ever%2C%20interdisciplinary%20teams%20deliver%20care%2C%20rather%20than%20autonomously%20by%20individuals.%20This%20is%20causing%20an%20even%20greater%20need%20to%20communicate%20and%20collaborate%20as%20a%20team.%20This%2C%20in%20turn%2C%20is%20creating%20demand%20for%20using%20any%20computing%20endpoint%2C%20especially%20the%20Shared%20Clinical%20Workstation%2C%20as%20a%20collaboration%20endpoint.%20While%20the%20combination%20of%20%E2%80%9Cgeneric%20autologin%E2%80%9D%20and%20OneSign%C2%AE%20has%20elegantly%20and%20securely%20solved%20for%20clinical%20applications%2C%20cloud%20applications%2C%20like%20Microsoft%20Office%20365%20collaboration%20and%20communication%2C%20have%20not%20functioned%20properly%20in%20this%20configuration.%20This%20limitation%20has%20historically%20blocked%20the%20Shared%20Clinical%20Workstation%E2%80%99s%20use%20as%20a%20communication%20and%20collaboration%20tool.%3C%2FP%3E%0A%3CP%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fwww.imprivata.com%2Fcompany%2Fpress%2Fimprivata-introduces-iam-cloud-platform-healthcare-supported-microsoft%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3EIn%20a%20recent%20announcement%3C%2FA%3E%2C%20Imprivata%20laid%20out%20new%20integrations%20between%20OneSign%C2%AE%20and%20Microsoft%20365%20(Windows%2010%2C%20Enterprise%20Mobility%20%2B%20Security%2C%20and%20Office%20365).%20These%20new%20integrations%20offer%20a%20solution%20for%20delivering%20both%20clinical%20applications%20and%20communication%2Fcollaboration%20tools%20to%20Shared%20Clinical%20Workstations.%20This%20solution%20is%20a%20result%20of%20a%20new%20partnership%20between%20Microsoft%20and%20Imprivata.%20The%20goal%20of%20the%20partnership%20is%20to%20deliver%20an%20architecture%20and%20capabilities%20for%20Modern%20Shared%20Clinical%20Workstations.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3ESolution%20Overview%3C%2FSTRONG%3E%3CBR%20%2F%3EThe%20solution%20to%20delivering%20both%20traditional%20and%20cloud%20applications%20to%20Shared%20Clinical%20Workstations%20essentially%20enables%20Integrated%20Windows%20Authentication%20for%20Azure%20AD%20protected%20applications%20by%20leveraging%20recent%20updates%20to%20the%20Microsoft%20and%20Imprivata%20platforms.%20This%20allows%20a%20single%20authentication%20by%20Imprivata%20OneSign%20(a%20badge%20tap%2C%20for%20example)%20to%20provide%20access%20to%20all%20the%20healthcare%20applications%20that%20Imprivata%20supports%20today%20and%20to%20Microsoft%20first-party%20cloud%20applications%20and%20to%20the%20thousands%20of%20SaaS%20applications%20available%20in%20Azure%20AD%20catalog.%3C%2FP%3E%0A%3CP%3E%3CBR%20%2F%3EBeginning%20with%20Imprivata%20OneSign%206.2%2C%20the%20ISXRunAs%20command%20line%20utility%20(ISXRunAs.exe)%20is%20installed%20with%20the%20Imprivata%20agent.%20This%20utility%20allows%20an%20authenticated%20user%20to%20launch%20and%20run%20an%20IWA%20enabled%20application%20under%20their%20user%20pro%EF%AC%81le%2C%20instead%20of%20the%20local%20(generic)%20Windows%20user%20on%20the%20shared%20workstation.%20This%20enables%20access%20to%20network%20resources%2C%20such%20as%20mapped%20drives%20and%20network%20printers%2C%20from%20within%20the%20application.%20When%20paired%20with%20the%20recently%20available%20Seamless%20SSO%20configuration%20of%20Microsoft%20Azure%20Active%20Directory%20and%20hybrid%20Azure%20AD%20joined%20PCs%2C%20the%20ISXRunAs%20also%20provides%20access%20to%20Azure%20AD-integrated%20applications%20such%20as%20O365%20and%20Azure%20AD%20connected%203rd%20party%20SaaS%20applications.%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3ERequirements%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EImprivata%20OneSign%20Appliance%203rd%20Generation%20running%206.2%20or%20later%3C%2FLI%3E%0A%3CLI%3EAADConnect%20with%20PWHash%20and%20Seamless%20SSO%20or%20Pass-through%20Authentication%20configured%3C%2FLI%3E%0A%3CLI%3EWindows%2010%20(tested%20on%201809%20but%20all%20versions%20should%20work)%3C%2FLI%3E%0A%3CLI%3EHybrid%20Azure%20AD%20Joined%20PC%3C%2FLI%3E%0A%3CLI%3EImprivata%20Agent%20downloaded%20to%20PC%20from%20the%20virtual%20appliance%3C%2FLI%3E%0A%3CLI%3EUser%20must%20be%20a%20part%20of%20the%20AD%20domain%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%3CSTRONG%3ESolution%20Detail%3C%2FSTRONG%3E%3CBR%20%2F%3EOnce%20the%20environment%20is%20configured%20with%20the%20elements%20above%20the%20system%20will%20be%20ready%20for%20the%20configuration%20of%20the%20ISXRunAs.exe%20shortcut.%20The%20shortcut%20can%20be%20manually%20configured%20on%20an%20individual%20endpoint%20or%20to%20a%20targeted%20group%20via%20Group%20Policy%20Object%20(GPO).%20These%20instructions%20can%20be%20found%20in%20the%20Imprivata%20document%20Configure%20Integrated%20RunAs.%3CBR%20%2F%3ETo%20configure%20a%20shortcut%20on%20a%20single%20endpoint%20follow%20the%20instructions%20below%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EGo%20to%20the%3CUL%3E%0A%3CLI%3E32%E2%80%93bit%20%E2%80%94%20C%3A%5CProgram%20Files%5CImprivata%5COneSign%20Agent%3C%2FLI%3E%0A%3CLI%3E64%E2%80%93bit%20%E2%80%94%20C%3A%5CProgram%20Files%20(x86)%5CImprivata%5COneSign%20Agent%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3CLI%3ERight%E2%80%93click%20ISXRunAs.exe%2C%20and%20select%20Send%20to%20%26gt%3B%20Desktop%20(create%20shortcut)%3C%2FLI%3E%0A%3CLI%3EGo%20to%20the%20desktop%2C%20and%20right%E2%80%93click%20ISXRunAs%20-%20Shortcut%3C%2FLI%3E%0A%3CLI%3EUpdate%20the%20Target%20field%20to%20include%20the%20addi%F4%80%86%9Fonal%20ISXRunAs%20usage%20parameters.%3C%2FLI%3E%0A%3CLI%3EClick%20OK%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%3CSTRONG%3EExamples%3A%3C%2FSTRONG%3E%3CBR%20%2F%3E%3CEM%3EOutlook%20on%20the%20Web%20shortcut%20Target%3A%3C%2FEM%3E%3CBR%20%2F%3E%22C%3A%5CProgram%20Files%20(x86)%5CImprivata%5COneSign%20Agent%5CISXRunAs.exe%22%20%22C%3A%5CProgram%20Files%20(x86)%5CInternet%20Explorer%5Ciexplore.exe%22%20%22%3CA%20href%3D%22https%3A%2F%2Foutlook.office.com%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Foutlook.office.com%3C%2FA%3E%22%3CBR%20%2F%3E%3CEM%3ETeams%20full%20client%20shortcut%20Target%20(web%20app%20recommended%2C%20but%20%3C%2FEM%3Efull%3CEM%3E%20client%20also%20works)%3A%3C%2FEM%3E%3CBR%20%2F%3E%22C%3A%5CProgram%20Files%20(x86)%5CImprivata%5COneSign%20Agent%5CISXRunAs.exe%22%20%2Fprofile%20%22C%3A%5CUsers%5Cadministrator.MSPMTC%5CAppData%5CLocal%5CMicrosoft%5CTeams%5Cupdate.exe%22%20--processStart%20%22teams.exe%22%3C%2FP%3E%0A%3CP%3E%3CBR%20%2F%3EThe%20end%20user%20experience%20would%20be%20to%20use%20the%20provided%20shortcuts%20on%20the%20desktop.%20This%20is%20generally%20how%20healthcare%20applications%20are%20provided%20via%20a%20technology%20such%20as%20Citrix%2C%20surfaced%20to%20clinical%20workers%20as%20shortcuts%20to%20published%20applications.%20These%20shortcuts%20for%20productivity%20and%203rd%20party%20SaaS%20applications%20would%20just%20be%20additional%20apps%20on%20the%20clinical%20worker%20desktop%20creating%20no%20change%20to%20the%20current%20application%20launch%20experience.%20These%20applications%20can%20also%20be%20configured%20for%20auto-launch%20upon%20badge%20tap%20through%20the%20OneSign%20Agent.%3CBR%20%2F%3ESee%20Also%20the%20%3CA%20href%3D%22https%3A%2F%2Fofficeflashweb.azurewebsites.net%2F2019%2F04%2Foff-topic-show-revisting-win10office-365improvata-in-shared-clinical-workstation%2F%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3Edetailed%20breakdown%20of%20the%20solution%3C%2FA%3E%20along%20with%20an%20excellent%20demo%20video%20produced%20by%20our%20MTC%20and%20TSP%20teams.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-518543%22%20slang%3D%22en-US%22%3E%3CP%3ETo%20provide%20a%20solution%20for%20the%20unique%20needs%20of%20healthcare%20organizations%20Microsoft%20and%20Imprivata%20have%20partnered%20to%20create%20a%20reference%20architecture%20to%20enable%20Integrated%20Windows%20Authentication%20for%20Azure%20AD%20protected%20applications%20by%20leveraging%20existing%20technology%20in%20the%20Microsoft%20and%20Imprivata%20platforms.%20This%20allows%20a%20single%20authentication%20by%20Imprivata%20OneSign%20to%20provide%20access%20to%20all%20the%20healthcare%20applications%20that%20Imprivata%20supports%20today%20in%20addition%20to%20the%20Microsoft%20first-party%20applications%20and%20the%20thousands%20of%20SaaS%20applications%20available%20in%20Azure%20AD.%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F111861i390DA0BCEFCED84A%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22UA%20slide.JPG%22%20title%3D%22UA%20slide.JPG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1113034%22%20slang%3D%22en-US%22%3ERe%3A%20Microsoft%20and%20Imprivata%20OneSign%20SSO%20integration%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1113034%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%3EFrom%20the%20link%20at%20the%20end%20of%20the%20post%20-%20%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3E%E2%80%9CC%3A%5CProgram%20Files%20(x86)%5CImprivata%5COneSign%20Agent%5CISXRunAs.exe%E2%80%9D%20%2Fprofile%20%E2%80%9C__INSERT%20COMMON%20SESSION%20PROFILE%20PATH%20OR%20VAR__%5CAppData%5CLocal%5CMicrosoft%5CTeams%5Cupdate.exe%E2%80%9D%20%E2%80%93processStart%20%E2%80%9Cteams.exe%E2%80%9D%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EI'm%20curious%20what%20was%20used%20for%26nbsp%3B__INSERT%20COMMON%20SESSION%20PROFILE%20PATH%20OR%20VAR__.%26nbsp%3B%20After%20the%20shared%20desktop%20signs%20in%20and%20Teams%20installs%2C%20if%20I%20use%20that%20as%20the%20path%20to%20that%20executable%2C%20and%20try%20a%20runas%2C%20it%20opens%20Teams%20as%20the%20shared%20desktop%2C%20not%20the%20Imprivata%20logged%20in%20user.%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Version history
Last update:
‎Jul 12 2019 01:56 PM
Updated by: