Integration with Imprivata OneSign

Configuration for XTAM and Imprivata OneSign to provide SAML based authentication

XTAM supports integration with Imprivata OneSign using SAML protocol to defer user authentication to OneSign.

The following guide describes how to configure your XTAM and OneSign integration.

Requirements

Before you begin your integration, be sure you meet the following pre-requisites:

  • A working XTAM deployment with the Federated Sign-In experience.
  • Access to your existing XTAM host server. You will need to update files and restart services.
  • Access to your OneSign portal to configure your authentication services.
  • If Users are created and managed in OneSign, then a matching user must also be created as an XTAM Local User.
  • If Users are synced from Active Directory to OneSign, then you must also integrate XTAM with the same Active Directory.
  • OneSign must be provisioned with the Imprivata Cloud service before the integration can be performed.

Step 1: Begin the Imprivata OneSign Configuration

  1. Login to your Imprivata OneSign Admin portal.
  2. Navigate to Applications > Single sign-on application profiles.
  3. Click on the Add App Profile dropdown and select the Web application using SAML option.
  4. Help-Imprivata-OneSign1.png

    If you are presented with a message that this application requires a secure connection to the Imprivata Cloud, then OneSign has not yet been provisioned with this service. Please consult your OneSign documentation or support engineer for assistance with this required step before continuing.

  5. Populate the Add application using SAML page using the guidance below:

    1. Application profile name and Application user-friendly name – use any relevant value you choose. For example, XTAM.

    2. In the Service provider (SP) metadata section, assign the following selections:

      1. NameID format preference:Unspecified

      2. Returned Attribute:

        1. Select User login name – Pre W2K (sAMAccountName) if XTAM is configured to authenticate using sAMAccountName. This is the default configuration in XTAM.

        2. Select User login name (userPrincipalName) if XTAM is configured to authenticate using UPN.

          Help-Imprivata-OneSign2.png
    3. In the Identity provider (IdP) metadata section, click to open the link named View and copy Imprivata (IdP) SAML metadata. When the link opens, locate and copy the URL displayed under the Metadata URL label. You will use this URL in the XTAM configuration described in the next section of this guide.

      Help-Imprivata-OneSign3.png
  6. You may close this dialog, but do not logout of the Admin console yet. We will return to complete this configuration later in the guide.

Step 2: Configuring XTAM for OneSign

  1. Login to your XTAM host server and open the file $XTAM\web\conf\catalina.properties in a text editor.
  2. Locate the section that is labelled # CAS and add the following new lines:
  3. # Imprivata OneSign SSO SAML

    cas.authn.pac4j.saml[0].clientName=OneSign Login

    cas.authn.pac4j.saml[0].keystorePassword={password}

    cas.authn.pac4j.saml[0].privateKeyPassword={password}

    cas.authn.pac4j.saml[0].serviceProviderEntityId=https://xtam.company.com/xtam/

    cas.authn.pac4j.saml[0].serviceProviderMetadataPath={imprivatasso.xml}

    cas.authn.pac4j.saml[0].keystorePath={samlKeystoreImprivataSSO.jks}

    cas.authn.pac4j.saml[0].identityProviderMetadataPath={path}

    cas.authn.pac4j.saml[0].maximumAuthenticationLifetime=2073600

  4. In the lines referenced above, the {placeholders} need to be updated using your own values as explained here:

    1. cas.authn.pac4j.saml[0].keystorePassword={password} - Create an alphanumeric password. Any value you want to enter.

    2. cas.authn.pac4j.saml[0].privateKeyPassword={password} - Create an alphanumeric password. Any value you want to enter.

    3. cas.authn.pac4j.saml[0].serviceProviderEntityId=https://xtam.company.com/xtam/ - Replace this placeholder URL with your full https XTAM login page URL ending with /xtam/

    4. cas.authn.pac4j.saml[0].serviceProviderMetadataPath={imprivatasso.xml} - The full path and file name of the imprivatasso.xml file that will be created after an XTAM service restart later in this guide. For example, C:/xtam/content/keys/imprivatasso.xml (use forward slashes not backslashes). This file will be uploaded to your Imprivata SAML application later in this guide.

    5. cas.authn.pac4j.saml[0].keystorePath={samlKeystoreImprivataSSO.jks} - Define a path and name for the XTAM auto-generated key. For example, C:/xtam/content/keys/samlKeystoreImprivataSSO.jks (use forward slashes not backslashes).

    6. cas.authn.pac4j.saml[0].identityProviderMetadataPath={path} - Enter the full URL copied from the Metadata URL section of your Imprivata SAML configuration. For example, https://idp.cloud.imprivata.com/{yourTenantID}/saml2.

  5. When finished, save and close this file

  6. Restart the PamManagement (Windows) or pammanager (Linux) service

  7. When the service is fully restarted, open your browser and navigate to the XTAM login page. You should see a new red button with the OneSign Login label.

    Help-Imprivata-OneSign4.png

Step 3: Complete the OneSign Configuration

  1. Return to the Add application using SAML page in your Imprivata Admin portal.
  2. In the section Service provider (SP) metadata click the button labelled Get SAML metadata.
  3. Help-Imprivata-OneSign5.png
  4. On this Get SAML metadata dialog, select the From XML option and click the Browse… button
  5. Browse to and select using the Open button, the imprivatasso.xml file that was created in the location defined in this previous XTAM configuration parameter: cas.authn.pac4j.saml[0].serviceProviderMetadataPath={imprivatasso.xml}. For example, C:/xtam/content/keys/imprivatasso.xml
  6. After the file is selected, click the OK button to complete.
  7. Help-Imprivata-OneSign6.png
  8. Imprivata will process the xml file and display the relevant information in the Service provider (SP) metadata section. Please review the metadata and confirm it is accurate.

  9. When satisfied, click the Save button to complete the creation of this new application profile.

  10. Finally, you need to Deploy this application and configure users. Click on the Not Deployed link next to your new application. On the Deploy application: XTAM page:

    1. Check the Deploy This Application checkbox

    2. Check the Deploy to All User and Groups checkbox or use the other options available to deploy to specific domains, OUs, groups or users.

    3. Click Save to complete the application deployment

      Help-Imprivata-OneSign7.png
  11. Your new application will now be listed with the Deployment Status Deployed.

    Help-Imprivata-OneSign8.png

Step 4: Test your Login Integration

  1. Return back to the XTAM login page and click the red OneSign Login button.
  2. You will be directed to the Imprivata login page. Enter credentials that are both valid in Imprivata for the XTAM deployed application and valid with XTAM. Click the Log in button to continue.
  3. Help-Imprivata-OneSign9.png
  4. (Optional) If Imprivata ID is available for your account, it may ask to authenticate with your Imprivata ID or you may be asked to enroll your device if you have not done so previously. Continue with Imprivata ID if required or choose the Not now option to do enrollment at a later date.
  5. Help-Imprivata-OneSign10.png
  6. After the SAML authentication is successful, your browser will redirect back into XTAM. You have now successfully authenticated into XTAM using Imprivata OneSign.