Integration with Imprivata Confirm ID

Configuration for XTAM and Imprivata Confirm ID (CIDRA) to provide RADIUS based MFA authentication

XTAM supports integration with Imprivata Confirm ID using RADIUS to provide second factor authentication through the use of the Imprivata ID app (token and push).

The following guide describes how to configure your XTAM and Confirm ID integration.

Requirements

Before you begin your integration, be sure you meet the following pre-requisites:

  • A working XTAM deployment with the Federated Sign-In experience.
  • Access to your existing XTAM host server. You will need to update files and restart services.
  • Access to your Imprivata Admin portal to configure your authentication services.
  • If Users are created and managed in Imprivata, then a matching user must also be created as an XTAM Local User.
  • If Users are synced from Active Directory to Imprivata, then you must also integrate XTAM with the same Active Directory.
  • Users must already enroll their device prior to authenticating with XTAM. Device enrollment is not currently supported using XTAM.

Step 1: Begin the Imprivata Confirm ID Configuration

  1. Login to your Imprivata Admin portal
  2. Navigate to Applications > Remote access integrations
  3. In the Add new integration section, locate the Other (RADIUS) option and click Add new integration.
  4. Help-Imprivata-Confirm-ID1.png
  5. On the Add new integration page using the guidance below for the RADIUS client information form:
    1. Nickname – use any relevant value you choose. For example, XTAM.

    2. Host name or IP address – enter the host name or IP address of the XTAM host server

    3. Encryption key – enter any alphanumeric value in this field which will be used as the shared secret between Confirm ID and XTAM.

      Help-Imprivata-Confirm-ID2.png
  6. No other actions are required. Click the Save button to complete this configuration.

Step 2: Configuring XTAM for Confirm ID

  1. Login to your XTAM host server and open the file $XTAM\web\conf\catalina.properties in a text editor.
  2. Locate the section that begins with # Radius, RSA Radius, SMSPasscode, etc. This section will contain the following parameters:
  3. #cas.authn.mfa.globalProviderId=mfa-radius

    #cas.authn.mfa.radius.client.inetAddress=radius-server-host

    #cas.authn.mfa.radius.client.sharedSecret=secret

    #cas.authn.mfa.radius.client.authenticationPort=1812

    #cas.authn.mfa.radius.client.accountingPort=1813

    #cas.authn.mfa.radius.server.protocol=PAP

    #cas.authn.mfa.radius.name=name

  4. In the lines referenced above, make updates using your own values as explained here:

    1. cas.authn.mfa.radius.client.inetAddress=radius-server-host – Enter the host or IP address of your Imprivata Confirm ID appliance. Uncomment this line (remove the # in the beginning).
    2. cas.authn.mfa.radius.client.sharedSecret=secret – Enter the same alphanumeric value that was entered in the Encryption key in your ConfirmID RADIUS configuration during the previous step. Uncomment this line (remove the # in the beginning).
    3. cas.authn.mfa.radius.client.authenticationPort=1812 – Uncomment this line (remove the # in the beginning). No other changes are required.
    4. cas.authn.mfa.radius.client.accountingPort=1813 – Uncomment this line (remove the # in the beginning). No other changes are required.
    5. cas.authn.mfa.radius.server.protocol=PAP - Uncomment this line (remove the # in the beginning). No other changes are required.
    6. cas.authn.mfa.radius.name=name - Do not uncomment this line. No changes are required.
  5. After your finish making the changes above, this section will look similar to this example:

    #cas.authn.mfa.globalProviderId=mfa-radius

    cas.authn.mfa.radius.client.inetAddress=10.157.65.87

    cas.authn.mfa.radius.client.sharedSecret=yourSharedSecretKeyGoesHere

    cas.authn.mfa.radius.client.authenticationPort=1812

    cas.authn.mfa.radius.client.accountingPort=1813

    cas.authn.mfa.radius.server.protocol=PAP

    #cas.authn.mfa.radius.name=name

Step 3: Configure RADIUS MFA Requirements in XTAM

XTAM can be configured to support two scenarios with RADIUS MFA enforcement, all user logins will require Imprivata ID or select principals (users or groups) may require Imprivata ID while others may require a different MFA provider like Duo or TOTP or perhaps no MFA requirement at all.

To configure XTAM so that all logins require Imprivata ID:

  1. Login to your XTAM host server and open the file XTAM\web\conf\catalina.properties files in a text editor.
  2. Search for xtam-mfa.groovy to locate this parameter which you will uncomment like shown below (remove the # at the beginning of the line).

    Note that the path defined in the parameter may be different depending on your XTAM host (Windows or Linux) and its installation directory.

    Copy

    Before:

    #cas.authn.mfa.groovyScript=file:///C:/xtam/web/webapps/xtam/WEB-INF/mfa/xtam-mfa.groovy
    Copy

    After:

    cas.authn.mfa.groovyScript=file:///C:/xtam/web/webapps/xtam/WEB-INF/mfa/xtam-mfa.groovy
  3. When finished, save and close the file.

  4. Restart the PamManagement (Windows) or pammanager (Linux) service.

  5. After the service comes back online, login to XTAM with a System Administrator account and navigate to the Administration > MFA page.

  6. On this page we will select ConfirmID as the default MFA provider for user authentication. To use Confirm ID, click the Add button, check the Default box and in the Provider dropdown select the option mfa-confirmid. Click Save to complete this configuration. Upon next login, all users not explicitly assigned another mfa provider or none will be required to use ConfirmID as their second factor authentication method.

In the screenshot example configuration below, the DEFAULT provider is set to mfa-confirmid so all users will be required to use this provider as their second factor; however, since the user ‘xtamadmin’ is explicitly set to none as its provider, this account becomes the exception. Upon xtamadmin login, it will not be required to use any (none) second factor for authentication.

ID-XTAM-MFA-Integration-Guide.png

For more information about how to configure MFA on this page, please review our article Defining MFA per User or Group.

To configure XTAM so that individual logins may use Imprivata ID, TOTP, Duo or No MFA:

  1. Login to your XTAM host server and open the file $XTAM\web\conf\catalina.properties files in a text editor.
  2. Search for xtam-mfa.groovy to locate this parameter which you will uncomment like shown below (remove the # at the beginning of the line).
  3. Note that the path defined in the parameter may be different depending on your XTAM host (Windows or Linux) and its installation directory.

    Copy

    Before:

    #cas.authn.mfa.groovyScript=file:///C:/xtam/web/webapps/xtam/WEB-INF/mfa/xtam-mfa.groovy
    Copy

    After:

    cas.authn.mfa.groovyScript=file:///C:/xtam/web/webapps/xtam/WEB-INF/mfa/xtam-mfa.groovy
  4. When finished, save and close the file.
  5. Restart the PamManagement (Windows) or pammanager (Linux) service
  6. After the service comes back online, login to XTAM with a System Administrator account and navigate to the Administration > MFA page.
  7. On this page, configure your users and groups with the provider that should be required for second factor authentication. To use Confirm ID, click the Add button, select your principals and in the Provider dropdown select the option mfa-confirmid. Click Save to complete this configuration and repeat as necessary for other users or groups.

For more information about how to configure MFA on this page, please review our article Defining MFA per User or Group.

Step 4: Test your Login Integration

  1. Navigate to the XTAM login page.
  2. Enter the login credentials, Username and Password, of an account configured with the Confirm ID provider in the previous step. Click the Login button.
  3. After the credentials (first factor) are authenticated, you will be prompted for your second factor on the next page. In the field, you may enter the current Token Code as displayed in the Imprivata ID application on your enrolled device or you may enter the word push to receive a push notification to your enrolled device.
  4. Help-Imprivata-Confirm-ID3.png
  5. When either the token or push is entered into the field, click the LOGIN button to continue. If a valid token was entered, the account will successfully login to XTAM. If the push option was used, you will receive a push notification to your enrolled device, click Approve and the account will successfully login to XTAM.