Integration with Imprivata OneSign

Configuration for PAM and Imprivata OneSign to provide SAML based authentication

PAM supports integration with Imprivata OneSign using SAML protocol to defer user authentication to OneSign.

The following guide describes how to configure your PAM and OneSign integration.

Requirements

Before you begin your integration, be sure you meet the following pre-requisites:

  • A working PAM deployment with the Federated Sign-In experience.
  • Access to your existing PAM host server. You will need to update files and restart services.
  • Access to your OneSign portal to configure your authentication services.
  • If Users are created and managed in OneSign, then a matching user must also be created as an PAM Local User.
  • If Users are synced from Active Directory to OneSign, then you must also integrate PAM with the same Active Directory.

  • OneSign must be provisioned with the Imprivata Cloud service before the integration can be performed.

Step 1: Begin the Imprivata OneSign Configuration

  1. Login to your Imprivata OneSign Admin portal.
  2. Navigate to Applications > Single sign-on application profiles.
  3. Click on the Add App Profile dropdown and select the Application using SAML option.
    4. OneSignApplicationSAML.png

    If you are presented with a message that this application requires a secure connection to the Imprivata Cloud, then OneSign has not yet been provisioned with this service. Please consult your OneSign documentation or support engineer for assistance with this required step before continuing.

  4. Populate the Add application using SAML page using the guidance below:

    1. Application profile name and Application user-friendly name – use any relevant value you choose. For example, PAM.

    2. In the Service provider (SP) metadata section, assign the following selections:

      1. NameID format preference:Unspecified

      2. Returned Attribute:

        1. Select User login name – Pre W2K (sAMAccountName) if PAM is configured to authenticate using sAMAccountName. This is the default configuration in PAM.

        2. Select User login name (userPrincipalName) if PAM is configured to authenticate using UPN.

          Help-Imprivata-OneSign2.png

        3. In the Identity provider (IdP) metadata section, click to open the link named View and copy Imprivata (IdP) SAML metadata. When the link opens, locate and copy the URL displayed under the Metadata URL label. You will use this URL in the PAM configuration described in the next section of this guide.

          4. Help-Imprivata-OneSign3.png

  5. You may close this dialog, but do not logout of the Admin console yet. We will return to complete this configuration later in the guide.

Step 2: Configuring PAM for OneSign

  1. Login to your PAM host server and open the file $PAM_HOME\web\conf\catalina.properties in a text editor.
  2. Locate the section that is labelled # CAS and add the following new lines:

    3. # Imprivata OneSign SSO SAML

    cas.authn.pac4j.saml[0].clientName=OneSign Login

    cas.authn.pac4j.saml[0].keystorePassword=password

    cas.authn.pac4j.saml[0].privateKeyPassword=password

    cas.authn.pac4j.saml[0].serviceProviderEntityId=https://xtam.company.com/xtam/

    cas.authn.pac4j.saml[0].serviceProviderMetadataPath=imprivatasso.xml

    cas.authn.pac4j.saml[0].keystorePath=samlKeystoreImprivataSSO.jks

    cas.authn.pac4j.saml[0].identityProviderMetadataPath=path

    cas.authn.pac4j.saml[0].maximumAuthenticationLifetime=2073600

  3. In the lines referenced above, the placeholders need to be updated using your own values as explained here:

    1. cas.authn.pac4j.saml[0].keystorePassword=password - Create an alphanumeric password. Any value you want to enter.

    2. cas.authn.pac4j.saml[0].privateKeyPassword=password - Create an alphanumeric password. Any value you want to enter.

    3. cas.authn.pac4j.saml[0].serviceProviderEntityId=https://xtam.company.com/xtam/ - Replace this placeholder URL with your full https PAM login page URL ending with /xtam/

    4. cas.authn.pac4j.saml[0].serviceProviderMetadataPath=imprivatasso.xml - The full path and file name of the imprivatasso.xml file that will be created after an PAM service restart later in this guide. For example, C:/pam/content/keys/imprivatasso.xml (use forward slashes not backslashes). This file will be uploaded to your Imprivata SAML application later in this guide.

    5. cas.authn.pac4j.saml[0].keystorePath=samlKeystoreImprivataSSO.jks - Define a path and name for the PAM auto-generated key. For example, C:/pam/content/keys/samlKeystoreImprivataSSO.jks (use forward slashes not backslashes).

    6. cas.authn.pac4j.saml[0].identityProviderMetadataPath=path - Enter the full URL copied from the Metadata URL section of your Imprivata SAML configuration. For example, https://idp.cloud.imprivata.com/{yourTenantID}/saml2.

  4. When finished, save and close this file.

  5. Restart the PamManagement (Windows) or pammanager (Linux) service.

  6. When the service is fully restarted, open your browser and navigate to the PAM login page. You should see a new red button with the OneSign Login label.

    Help-Imprivata-OneSign4.png

Step 3: Complete the OneSign Configuration

  1. Return to the Add application using SAML page in your Imprivata Admin portal.
  2. In the section Service provider (SP) metadata click the button labelled Get SAML metadata.
    3. Help-Imprivata-OneSign5.png
  3. On this Get SAML metadata dialog, select the From XML option and click the Browse… button.
  4. Browse to and select using the Open button, the imprivatasso.xml file that was created in the location defined in this previous PAM configuration parameter: cas.authn.pac4j.saml[0].serviceProviderMetadataPath={imprivatasso.xml}. For example, C:/pam/content/keys/imprivatasso.xml
  5. After the file is selected, click the OK button to complete.
    6. Help-Imprivata-OneSign6.png

  6. Imprivata will process the .xml file and display the relevant information in the Service provider (SP) metadata section. Please review the metadata and confirm it is accurate.

  7. When satisfied, click the Save button to complete the creation of this new application profile.

  8. Finally, you need to Deploy this application and configure users. Click on the Not Deployed link next to your new application. On the Deploy application: PAM page:

    1. Check the Deploy This Application checkbox

    2. Check the Deploy to All User and Groups checkbox or use the other options available to deploy to specific domains, OUs, groups or users.

    3. Click Save to complete the application deployment

      Help-Imprivata-OneSign7.png

  9. Your new application will now be listed with the Deployment Status Deployed.

    Help-Imprivata-OneSign8.png

Step 4: Test your Login Integration

  1. Return back to the PAM login page and click the red OneSign Login button.
  2. You will be directed to the Imprivata login page. Enter credentials that are both valid in Imprivata for the PAM deployed application and valid with PAM. Click the Log in button to continue.
    3. Help-Imprivata-OneSign9.png
  3. (Optional) If Imprivata ID is available for your account, it may ask to authenticate with your Imprivata ID or you may be asked to enroll your device if you have not done so previously. Continue with Imprivata ID if required or choose the Not now option to do enrollment at a later date.
    4. Help-Imprivata-OneSign10.png
  4. After the SAML authentication is successful, your browser will redirect back into PAM. You have now successfully authenticated into PAM using Imprivata OneSign.