Use ChromeOS devices with Imprivata OneSign

4. (Optional) Configure additional features

For managed ChromeOS devices.

These optional configurations do not apply to all environments. They only need to be made if you intend to use the relevant features.

Open all  |  Close all

FUS at the application level for shared managed guest sessions (shared devices)

Fast User Switching (FUS) at the application level keeps electronic health records (EHRs) connected across users. Here, the user switch is realized in-app via the EHR.

Requirements

  • Workstation configured as shared managed guest session
  • EHR supports in-app user switching

Set up

Make sure the virtualized EHR app is set to automatically launch at the start of a managed guest session with a generic user account. For details, see V-Launcher deployment guide.

Read Imprivata's documentation about Fast User Switching.

PC/SC proximity card readers

The following PC/SC readers require the Smart Card Connector app to be installed and configured:

  • IMP-MFR-75
  • IMP-MFR-75A
  • HID OMNIKEY 5022
  • HID OMNIKEY 5023
  • HID OMNIKEY 5025 CL
  • HID OMNIKEY 5427 CK
  • HID OMNIKEY 5422

Before you begin

Create a JSON file using this template and fill in your extension IDs as force_allowed_client_app_ids.

Step 1: Install the app on the sign-in screen

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Devicesand thenChromeand thenSettingsand thenDevice settings.
  3. Under Sign-in settings, follow the link to the login screen apps page.
  4. To apply the setting to all devices, leave the top organizational unit selected. Otherwise, select a child organizational unit.
  5. In the list of apps and extensions, find Smart Card Connector.
  6. Under Installation policy, select Installed.
  7. In the panel on the right, under Policy for extensions:
    1. Click Upload.
    2. Select the JSON file that you already created.
    3. Click Open.
  8. Click Save.

Step 2: Install the app for managed guest sessions

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Devicesand thenChromeand thenApps & extensionsand thenManaged guest sessions.
  3. Click Add and thenAdd Chrome app or extension by ID.
  4. Enter the Smart Card Connector app ID, khpfeaanjngmcnplbdlpegiifgpfgdco.
  5. Select From the Chrome Web Store.
  6. Click Save.
  7. In the list of apps and extensions, find Smart Card Connector.
  8. Under Installation policy, select Force install.
  9. In the panel on the right, under Policy for extensions:
    1. Click Upload.
    2. Select the JSON file that you already created.
    3. Click Open.
  10. Click Save.
Imprivata Web SSO support for shared and isolated managed guest sessions (shared devices)

Imprivata Web SSO allows for a seamless authentication to SAML-based web services in the built-in Chrome browser on ChromeOS devices.

You can use Imprivata Web SSO for shared and isolated managed guest sessions on ChromeOS devices to provide an SSO experience to web services for your users.

Note: User sessions support Web SSO by default. So, there is no need to configure Web SSO for user sessions.

Set up Web SSO for managed guest sessions

Step 1: Set up Google Workspace as Service Provider (SP)

In the Imprivata admin console:

  1. In the Imprivata admin console, go to: and thenWeb app login configurationand thenView and copy Imprivata (IdP) SAML metadata. The Imprivata IdP (Identity Provider) Metadata window opens.
  2. Copy Imprivata’s IdP metadata: Entity ID, SSO (Sign-in page URL), SLO (Sign-out page URL).
  3. Download the Imprivata IdP certificate.

In your Google Admin console:

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Securityand thenAuthenticationand thenSSO with third party IdP.
  3. Click Add SAML Profile.
  4. Enter a name for the profile.
  5. Fill in Imprivata's information that you already obtained from the Imprivata admin console—IDP entity ID, Sign-in page URL, and Sign-out page URL.
  6. Enter a change password URL. Users will go to this URL, rather than the Google change password page, to reset their passwords.
  7. Click Upload certificate, then locate and upload your Imprivata IdP certificate file.
  8. Click Save.
  9. In the SP Details section, copy and save the Entity ID and ACS URL of your newly created SAML SSO Profile.
  10. Under Manage SSO profile assignments, assign your newly created SAML SSO profile to the organizational unit that you created for Imprivata user sessions.
  11. Save your changes.

Step 2: Set up Imprivata as Identity Provider

Note: Imprivata only accepts the SP information via XML metadata. Google Workspace does not offer the possibility to download the metadata as an XML,  so you'll need to build it manually.

  1. Using the Entity ID and ACS URL that you just copied, manually build the XML metadata. See this sample XML metadata.
  2. In the Imprivata admin console , go to Applicationsand thenSingle sign-on application profilesand thenWeb Application using SAML.
  3. Under Get SAML metadata:
    1. Select From XML.
    2. Upload the XML file that you downloaded or created.
  4. Save the changes.
  5. You'll be redirected to the OneSign single sign-on application profiles page where you will see the newly created SAML App Profile. Under Deployment status, it should show as Not Deployed.
  6. Click Not Deployed.
  7. Check the Deploy This Application? box.
  8. Choose who you want to deploy the app to.
  9. Click Save.

(Optional) ADFS redirection

Enterprises with a mix of clinical workstations with Imprivata WebSSO, and non-clinical workstations that authenticate to the default AD FS login workflow can configure a seamless access by following the Microsoft Active Directory Federation Services: Imprivata Web SSO Setup instructions and setting the adfsLoginPagesAllowlist extension policy.

SPINE support (UK)

Imprivata SPINE support requires in-session access to smartcards. The following configuration assures that the Smart Card Connector app supports the Spine workflows.

Note: The use of smartcards on the login screen for user authentication is not supported. We recommend badge-based authentication instead.

First, in the Imprivata admin console:

  1. On the User policies settings page, set up Two-Factor Authentication.
  2. Configure the persistence of the Spine Combined Workflow sessions.
  3. See NHS Spine Support for Imprivata ProveID Embeddeddocumentation provided by Imprivata. You'll need to be able to access the Imprivata partner portal.

Then, in your Google Admin console:

  1. Install the Smart Card Connector app. Follow the steps in PC/SC proximity card readers.
  2. Using a text editor, in your JSON file , fill in your extension IDs as scard_disconnect_fallback_client_app_ids.

Sample code that you'll add:

{

   "scard_disconnect_fallback_client_app_ids":{

      "Value":[

         "CITRIX_EXTENSION_ID",

         "VMWARE_EXTENSION_ID"

      ]

   }

}

Pin ChromeOS version

To help increase stability, you can pin your ChromeOS version and prevent auto-updates. For security reasons and to get the latest features and fixes, we recommend that you pin to the latest ChromeOS version after you verify it on a smaller test set.

Read Pin ChromeOS updates to a specific version.

Pin Citrix/VMWare version

To help increase stability, you can pin apps and extensions, including Citrix or VMware client apps, to a specific version and prevent auto-updates. For security reasons and to get the latest features and fixes, we still recommend you to pin to the latest extension version after verifying it on a smaller test set.

To pin an extension to a specific version:

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Devicesand thenChromeand thenApps & extensionsand thenManaged guest sessions.
  3. Select the app or extension that you want to pin.
  4. Under Version pinning, select the version you want to pin to.
  5. Click Save.
Use ChromeOS Imprivata integration version 4

If your organization is not yet ready to switch to the bundled ChromeOS Imprivata extension, you can use the Imprivata version 4 in-session extension instead.

  1. Set up the default configuration for shared managed guest sessions, described in Set mandatory policies.
  2. (Optional) Switch to isolated managed guest sessions or user sessions, described in Switch integration type.
  3. Follow these steps to switch back to using the Imprivata version 4 in-session extension.

Step 1: Configure Imprivata extensions

Sign-in screen extension

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Devicesand thenChromeand thenSettingsand thenDevice settings.
  3. To apply the setting to all devices, leave the top organizational unit selected. Otherwise, select a child organizational unit.
  4. Go to Imprivata.
  5. Click Imprivata login screen integration.
  6. For Imprivata login screen version, select Pinned to v4.
  7. Click Save.
  8. (Optional) In your JSON file, if you set agentType as sharedKiosk, configure Imprivata settings:
    1. Click Shared kiosk mode.
    2. Select Enable shared kiosk mode.
    3. Click Save.
    4. Click Shared apps & extensions.
    5. Enter the extension IDs of apps & extensions that should not be cleared and re-launched between users.
      • Important: Be sure to include the Imprivata version 4 in-session extension ID, pllbepacblmgialkkpcceohmjakafnbb, and the extension IDs, such as Citrix or VMware, that you provided in your extension policy file.
      • Also add your VDI extension IDs here in case you don’t want these extensions to be cleaned up in between users. In case users manually launch resources, the VDI extensions should not be added to the list so that their session will be cleaned up.
    6. Click Save.

In-session extension

  1. In the Admin console, go to Menu and then Devicesand thenChromeand thenApps & extensionsand thenManaged guest sessions.

  2. To apply the setting to all devices, leave the top organizational unit selected. Otherwise, select a child organizational unit.
  3. Add in-session extension:
    1. Click Addand thenAdd Chrome app or extension by ID.
    2. Enter the in-session extension ID, pllbepacblmgialkkpcceohmjakafnbb.
    3. Select From a custom URL.
    4. Enter the URL, with no spaces:
      https://storage.googleapis.com/chromeos-mgmt-public-extension/imprivata/v4/update_manifest.xml
    5. Click Save.
  4. Configure in-session extension:
    1. In the list of apps and extensions, find the Imprivata (in-session) extension, pllbepacblmgialkkpcceohmjakafnbb, that you added.
    2. Under Installation policy, select Force install.
    3. Click the Imprivata (in-session) extension, pllbepacblmgialkkpcceohmjakafnbb. The options panel opens.
    4. Under Certificate management, next to Allow access to keys, click Turn on.
    5. Click Save.

Note: The in-session extension does not require an extension policy file.

Step 2: (Optional) Configure Citrix Workspace

If you installed and configured Citrix Workspace, described in Set mandatory policies, follow these steps:

  1. In the Admin console, go to Menu and then Devicesand thenChromeand thenApps & extensionsand thenManaged guest sessions.
  2. To apply the setting to all devices, leave the top organizational unit selected. Otherwise, select a child organizational unit.
  3. Configure Citrix Workspace:
    1. In the list of apps and extensions, find Citrix Workspace.
    2. Under Installation policy, select Force install.
    3. Click Citrix Workspace. The options panel opens.
    4. Under Policy for extensions, edit or upload the extension policy using valid JSON format. Here is an example JSON file that allows the Imprivata extension to communicate with the Citrix Workspace app.
      For configuration options, such as fullscreen mode, see the Citrix product documentation.
    5. Click Save.

Step 3: (Optional) Configure user session settings

If your preferred integration type is user session, you’ll need to configure WebUSB API allowed devices.

  1. In the Admin console, go to Menu and then Devicesand thenChromeand thenSettingsand thenDevice settings.
  2. To apply the setting to all devices, leave the top organizational unit selected. Otherwise, select a child organizational unit.
  3. Go to Hardware.
  4. Click WebUSB API allowed devices.
  5. Enter the URL and PID/VID:
    • URL: chrome-extension://pllbepacblmgialkkpcceohmjakafnbb
    • VID:PID:
      0C27:3BFA
      0C27:3B1E
  6. Click Save.

Step 4: (Optional) Configure Smart Card Connector app

If your organization uses PC/SC readers that require the Smart Card Connector app to be installed and configured, you’ll need to edit the JSON file that you previously created. Read about setting up PC/SC proximity card readers.

Step a: Create JSON file

Create a JSON file using this template and fill in your extension IDs as force_allowed_client_app_ids.

Step b: Configure the app on the sign-in screen

  1. In the Admin console, go to Menu and then Devicesand thenChromeand thenSettingsand thenDevice settings.
  2. Under Sign-in settings, follow the link to the login screen apps page.
  3. To apply the setting to all devices, leave the top organizational unit selected. Otherwise, select a child organizational unit.
  4. In the list of apps and extensions, find and click Smart Card Connector.
  5. In the panel that opens on the right, under Policy for extensions:
    1. Click Upload.
    2. Select the JSON file that you just created.
    3. Click Open.
  6. Click Save.

Step c: Configure the app for managed guest sessions

  1. In the Admin console, go to Menu and then Devicesand thenChromeand thenApps & extensionsand thenManaged guest sessions.
  2. In the list of apps and extensions, find and click Smart Card Connector, khpfeaanjngmcnplbdlpegiifgpfgdco.
  3. In the panel that opens on the right, under Policy for extensions:
    • Click Upload.
    • Select the JSON file that you just created.
    • Click Open.
  4. Click Save.
Deactivate metrics reporting

By default, the Imprivata extensions reports non-PII metrics to Google to facilitate error diagnostics and analyze performance. Metrics do not contain user identification data. They use randomly generated unique device identifiers. Google retains data for 14 months.

These are some samples of metrics we collect to help us analyze and improve the Imprivata integration on ChromeOS:

Occurring errors

  • Unhandled exceptions
  • VDI launch failures
  • Failed web API requests, such as network errors and unexpected responses
  • USB device errors, such as badge or fingerprint readers

Performance

  • Time to launch, unlock, lock, and sign out of an OS session
  • Time to perform a user switch
  • Time to launch a VDI session
  • Time to make a web API request to the Imprivata appliance
  • Time until other apps are installed, such as Citrix, VMware, and Smart Card Connector
  • Time for key operations used during authorization, such as sign operation

Usage patterns

  • How often specific flows are triggered and completed, such as badge enrollment
  • Which type of modalities were used to sign in, such as badge, credentials, PIN
  • How many sessions were started
  • How many devices run Imprivata OneSign
  • How often certain features are used, such as Web SSO
  • Source of lock and sign-out events, such as idle event or tap-out
  • How many virtual desktop/apps were launched, including automatically launched
  • Which virtual desktop or app client app was used, Citrix or VMWare
  • How long OS sessions last
  • How long VDI sessions last

Metadata

  • ChromeOS or ChromeOS Flex version
  • Extension version
  • Badge reader model & firmware version
  • Agent type

Turn off metrics reporting

By default, metrics reporting is turned on. To opt out, set the optional extension policy value metricsCollectionEnabled to false for the sign-in screen extension. For details, see Step 3: Configure Imprivata extensions.

Google and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.

Was this helpful?

How can we improve it?
Search
Clear search
Close search
Google apps
Main menu