Imprivata OneSign 7.

10

Release Notes

Imprivata OneSign® 7.10 contains the following new features and technology updates. For more information
on these features and Imprivata OneSign, see "What's New in Imprivata OneSign 7.10" in the Imprivata
OneSign Help.

New Features
Virtual Smart Card Enhancements
End User Expiry Messaging - Imprivata now provides:
l Warning when a vSC is 30 days from expiration, appearing:
o As a popup balloon
o In the agent status bar
l Warning when a vSC has expired
All messages include a call to action for renewal

General Availability Release of G4 Appliance and Enterprise

Imprivata OneSign 7.10 introduces the General Availability (GA) release of the Imprivata G4 (fourth
generation) appliance and enterprise for all customers, including migrations from G3 or G2 enterprises to G4
enterprises. The G4 appliances upgrade the Imprivata database to Oracle 19c and adopt Oracle Golden Gate
as the replication technology. Imprivata OneSign 7.8 and later support either G3 or G4 appliances, but not
both G3 and G4 appliances on the same enterprise. For information on G4 appliances, see "G4 Appliance
Types" and "Number of Appliances to Deploy" in the Imprivata online help system. For procedures to migrate
from a G3 or G2 enterprise to a G4 enterprise, see "Migrating to a G4 Enterprise" in the Upgrade Portal.
Note that for a G4 enterprise, only one or two sites are used, and Imprivata recommends a maximum of two
sites. For information on G4 sites, see "Imprivata Sites for G4 Enterprises" in the Imprivata online help
system.
Rollback from a G4 enterprise to a G3 or G2 enterprise is not supported.
G4 enterprises on Azure are available only for new enterprises of one or two database appliances. You
establish such an enterprise using a new private offer in the Azure Marketplace. (The G3 private offer in the
Azure Marketplace remains available.) For more information, see "Deploy a G4 Appliance on Azure" in the
Imprivata online help system. For existing G3 enterprises on premises or on Azure, migration to a G4
enterprise on Azure is not currently supported.

© 2022 Imprivata, Inc. All Rights Reserved. 1

Technology Updates
Qualifications and Certifications
For more information on new 7.10 qualifications and certifications, see Imprivata OneSign Supported
Components.

Microsoft 2020 LDAP Channel Binding and LDAP Signing Updates

While Microsoft has not announced a release date for their planned update to LDAP channel binding and
LDAP signing requirements, it is recommended that Imprivata administrators verify that their Imprivata
directory (domain) connections are configured for SSL. When the update is applied, any directory connection
that is not configured for SSL may fail.
To verify the connection settings, go to the Directories page (Users menu > Directories) and open the
required domain. Verify that Use TLS for secure communication is selected.

TLS Support
As part of Imprivata's continuing effort to increase our security posture, beginning with the 7.4 release,
Imprivata disables the use of older TLS versions 1.0 and 1.1 for all G3 appliance communications.
For more information on TLS usage, see the "About TLS Communication" topic in the Imprivata Online Help.

Imprivata OneSign API Access

Beginning with Imprivata OneSign 7.2 SP1, as part of Imprivata's continuing effort to increase our security
posture, there are two modes of API access through the Imprivata OneSign ProveID Web API and ProveID
Embedded:
l Full
l Restricted
In restricted mode, access to Password and UserAppCreds resources are disabled. A ResourceRequest
that includes an attribute id of Password or UserAppCreds returns a response with a message stating that
access is restricted and status code 403.
The settings to manage API access are on the API access page in the Imprivata Admin Console.

Imprivata Google Chrome Extension

The Imprivata agent continues to install the Chrome extension for SSO, but no longer enables it.
If you plan on installing Imprivata agents on new endpoints or upgrading existing Imprivata agents, you must
enable/allow the extension using a Microsoft Active Directory GPO. Per the Chrome Safe Browsing Policy, a
GPO is the only supported way to enable extensions silently.

NOTE: For complete details on enabling the Chrome extension, see "Support for Applications that
Run in Google Chrome" in Imprivata OneSign help.

© 2022 Imprivata, Inc. All Rights Reserved. 2

Upgrade Considerations
Imprivata Platform Update - G3 Appliances
An upgrade to 7.10 requires that you install the Imprivata platform update (applianceG3-IMPRIVATA-2022-
3-1.ipm) before upgrading the G3 appliance.
The platform update provides infrastructure, communication, and security improvements which must be in
place before you upgrade.
Take note of the following considerations:
l This platform update is supported on Imprivata OneSign 7.1 and later as part of the upgrade process or as
a standalone update. If desired, you can install and distribute this platform update to your appliances
without having to upgrade.
l This platform update is supported on Imprivata OneSign 6.1 up to and including 7.0 as part of the upgrade
process only. After you install the platform update, you must upgrade the appliances to 7.1 or later.
Use one of the following methods for uploading:
l Upload the platform update files from a file server connected to the appliance.
l If you cannot use a file server, and need to upload the IPM from your local computer, using the Imprivata
Appliance Console > Packages tab:
o You must first upload the provided increasePHPmaxPOST-2022-3-1.ipm. This small platform update
temporarily increases the maximum PHP file upload size, allowing you to then upload the applianceG3-
IMPRIVATA-2022-3-1.ipm platform update file.
For more information about upgrading to 7.10, see the Imprivata Upgrade Help.

Considerations
The following section describes a change in behavior in Imprivata OneSign for this release.

New Appliances on Non-DHCP Networks Get Prepopulated Host and Domain Names
When you set up a new G3 or G4 appliance on a network that does not use DHCP, then in the Appliance
Setup Wizard process, under System Information, the Host Name and Domain Name fields get
prepopulated with values localhost and localdomain. Previously, in Imprivata OneSign 7.8 and earlier, these
fields were left blank. You must replace the prepopulated values with values for the permanent host name
and domain name of the appliance.

Known Issues
The following issues may occur in Imprivata OneSign 7.10.

Risk of PHI Exposure and/or Mischarting with Persistent Applications on IGEL 11.07.170 Using
Citrix and ProveID Embedded
For multi-user endpoints with ProveID Embedded 7.10 or 7.9 on IGEL 11.07.170 using a persistent application
workflow and brokered using Citrix 2203, a serious risk exists of exposing patient Protected Health
Information (PHI) and/or mischarting patient data.

© 2022 Imprivata, Inc. All Rights Reserved. 3

The problem occurs as follows: User 1 logs into the endpoint and launches any published application on the
available list. User 1 logs out, for example by using the Disconnect button in the bottom right corner of the
interface. User 2 logs into that workstation. The published application previously launched in user 1's session
is shown in user 2's session. The workaround is for user 2 to close that published application.
To avoid this problem, use IGEL 11.07.100 instead of 11.07.170 on all multi-user endpoints with ProveID
Embedded 7.10 or 7.9 using a persistent application workflow and brokered using Citrix 2203.

In G4 Enterprises Upgraded from 7.8 to 7.10, if an Authorize Replace Operation is Needed, Use
a Freshly Built Appliance Instead of a Restaged Appliance
After upgrading a G4 enterprise from Imprivata OneSign 7.8 to 7.10, if you remove an appliance from the
enterprise, restage that appliance, and then use the Authorize Replace feature to replace the removed
appliance with the restaged appliance in the enterprise, then the Authorize Replace operation hangs at the
message "Waiting for Authorizing Appliance to setup initial tunnel". The enterprise
remains locked.
The workaround is to force unlock the enterprise, and then perform an Authorize Replace operation using a
freshly built G4 appliance instead of the restaged appliance. This includes shutting down the removed
appliance and then changing the IP address of the freshly built appliance to match the IP address of the
removed appliance.

Configuring Persistent Applications on IGEL Requires IGEL Universal Management Suite 6.0 or
Later
To configure the persistent applications workflow for IGEL endpoints running Prove ID Embedded, you need
the IGEL Universal Management Suite (UMS) version 6.0 or later to be able to see and set the IGEL Fast User
Switch settings on the IGEL management console.

Database Replication Fails If You Remove and Replace a G4 Database Appliance with an
Appliance Snapshot
If you remove a G4 (fourth generation) database appliance from a G4 enterprise and then want to add a
replacement G4 appliance to that enterprise, you must first restage the replacement appliance before adding
it to the enterprise. If instead you add a snapshot of a G4 appliance to the enterprise, which is not supported,
then database replication fails from the replacement appliance. The workaround for this failure is to contact
Imprivata Support and then start a Synchronize Enterprise Database operation from the replacement
appliance’s console after the Authorize Replace operation is completed. To avoid the failure, restage the
replacement appliance before adding it to the enterprise.
The Authorize Replace option appears on the Enterprise tab of the appliance console after you remove a G4
appliance from an enterprise. The Synchronize Enterprise Database option appears on the System tab of
that console.

For Many Prior Releases, During AD Domain Controller Failover, G3 or G4 Appliance Fails to
Negotiate TLS Version
This issue is fixed in Imprivata OneSign and Imprivata Confirm ID 7.10. A previous fix announced in OneSign
and Confirm ID 7.9 Release Notes, and made available for 7.8 in 7.8 HF 6, was found to not resolve the

© 2022 Imprivata, Inc. All Rights Reserved. 4

problem. Therefore, new fixes are available in 7.9 HF 4 and 7.8 HF 7. Note that the downloads and download
locations for 7.9 HF 4 and 7.8 HF 7 are different for G3 (third generation) and G4 (fourth generation)
enterprises, and are specified on the Imprivata Support and Learning Center.
Imprivata expects to fix this issue in hotfix releases over time for versions 7.7 through 7.3, provided that fixes
can be made available before those versions reach end of life. For those versions, see recent OneSign and
Confirm ID Fixed Issues lists for your version to determine if the fix is available. Imprivata no longer plans to
fix this issue for 7.2 SP1, because 7.2 reached end of life on June 30, 2022.
The issue occurs as follows: An Imprivata G3 or G4 appliance is communicating using TLS 1.2 with an Active
Directory (AD) domain controller. The domain controller or the intervening network fails. The Imprivata
appliance fails over to use an alternate domain controller. The appliance fails to negotiate TLS correctly,
using the unsupported TLS 1.0 instead of 1.2, so communication fails with the alternate domain controller.
This failure can cause directory synchronization to fail, which can cause further downstream failures. The fix
in OneSign and Confirm ID 7.10 and in 7.9 HF 4 and 7.8 HF 7 ensures that if AD domain controller failover
events occur, connections remain on the supported TLS 1.2 version. For OneSign and Confirm ID supported
releases for which the fix is not yet available, the workaround for the issue is to reboot the appliance.

Wrong Domain in Sender Address in Emails from Imprivata G3 and G4 Appliances on Azure
When setup is completed for an Imprivata G3 or G4 virtual appliance deployed on Microsoft Azure, the
appliance may send a test email. That email and any other emails generated by the appliance may appear to
be sent from incorrect address donotreply@<virtual-machine-name>.reddog.microsoft.com, for example,
do-not-reply@imp-vm0.reddog.microsoft.com. The correct sending address is do-not-reply@<virtual-
machine-name>.<your-domain>, where <your-domain> is the domain specified during appliance
configuration setup. This error occurs only if your Azure subscription uses your existing DNS infrastructure
instead of the Azure DNS, so that you must replace the domain name for the Imprivata appliance during
configuration with the wizard. There is no workaround for this problem.

WebSSO for Microsoft AD FS and Office 365

Repeated logging in and logging out of these applications with Imprivata WebSSO in the same browser
window can trigger an error message from Microsoft:
l Microsoft AD FS — "Sorry, but we’re having trouble signing you in. AADSTS90015: Requested query string
is too long."
l Microsoft Office 365 — "Hmm... we're having trouble signing you out. You may still be signed in to some

applications. Close your browser to finish signing out."

Workaround: close your browser, then reopen the browser and log in again.

Citrix SAML Authentication Fails When the Store Name Contains a Space

When the Citrix Storefront Store name contains a space, SAML authentication fails with the error
"XML document is not signed." This includes the Citrix default name "Store Service". To avoid this error,
change the Store name to one containing no spaces.

Imprivata ID Automatically Removed

iOS 11 introduces the Offload Unused Apps feature. If a user chooses to enable this feature, Imprivata ID may
be removed from the device because it appears that Imprivata ID is "unused" even when the user responds

© 2022 Imprivata, Inc. All Rights Reserved. 5

to push notifications regularly. If Imprivata ID is removed, it must be reinstalled. Best Practice: do not enable
the Offload Unused Apps feature. See Apple iOS 11 Support for details.

Google Chrome Shows False Positive for the Agent as an "Incompatible Application"
When a user launches Google Chrome for the first time after upgrading to Version 72, the browser displays a
message listing incompatible applications. This list includes a false positive for the Imprivata agent. This
warning can be ignored, as the agent has no effect on Chrome functionality or performance.

Imprivata ID Enrollment Fails with Symantec VIP Credentials on iOS 13.1

Imprivata ID enrollment fails with the error "Unable to enroll Imprivata ID" when the user policy for
Imprivata ID employs the "Symantec VIP (IMSY) token only" option. This issue occurs on iOS 13.1.

Virtual Desktop Access

l For VMware Horizon 8 2203, or for the VMware Horizon 8 2203 Windows Client, when used with ProveID
Embedded on HP ThinPro endpoints, the user is not logged in directly to the VDI session from the ProveID
Embedded login screen. The workaround is for the user to log out of Windows and log back in. To avoid
this issue, use VMware Horizon 8 2111 instead of VMware Horizon 8 2203.
l By default, when VMware Horizon View RDS Hosted applications or desktops are configured to auto-
matically launch, the VMware View Client is disabled. This behavior results in an extra instance of an
application each time a user reconnects to an existing VMware session. For example:
1. User 1 logs into endpoint 1. Application 1 and application 2 launch automatically.
2. User 1 logs into endpoint 2. Application 1 and application 2 are roamed. A second instance of
application 1 opens.
Solution: Configure the default behavior to launch the VMware View Client. Create the
HideClientAfterSessionLaunchValue registry key with a Data Type of DWORD and a value of 0. The
default value of this registry key is 1.
o 64–bit computers: \HKEY_LOCAL_MACHINE\SOFTWARE\SSOProvider\VDI\ViewApp
If the value is:
o Set to 1, the VMware Horizon Client is hidden after launching an application.
o Set to 0, the VMware Horizon Client is not hidden after launching an application. [AP-2826] [AP-3515]
l VMware App configuration options appear incorrectly in the Imprivata Admin Console. Users can only
authenticate to VMware Horizon View Hosted RDS applications using Imprivata user credentials. Windows
user credentials and external domain credentials are not supported. [AP-2619]
l VMware Horizon View RDS Hosted applications — If the virtual desktop and applications are hosted on the
same RDS session host, automatically launching the desktop, and then automatically launching applic-
ations to the desktop, is not supported. The following workflow details the unsupported configuration:
1. The user logs into the endpoint, which automatically launches the virtual desktop.
2. The virtual desktop launches the applications.
The latter workflow requires that the virtual desktop and applications be hosted on different RDS session
hosts. [AP-2674]

© 2022 Imprivata, Inc. All Rights Reserved. 6

l Authenticating to a VMware Horizon View RDS hosted virtual desktop using a proximity card or a
fingerprint is not supported on Teradici PCoIP® Zero Clients. Although the initial login succeeds, after the
RDS virtual desktop becomes locked, a user cannot unlock it using a proximity card or fingerprint. [AP-
2710]
l In the following scenario, user credentials are not automatically passed to Windows 8.1 virtual desktops
when RDP is used:
o Desktop roaming: A user logs into Endpoint 1 and the virtual desktop opens. The user locks the virtual

desktop on Endpoint 1 and logs into Endpoint 2. The user's virtual desktop on Endpoint 2 opens but is
locked because the user's credentials were not passed to the virtual desktop from Endpoint 2. [AP-16]
o Computer policy > Virtual Desktops tab > VMware View setting Shutdown the View client and
disconnect the user session is enabled: A user logs into an endpoint and the virtual desktop opens. The
user then locks the virtual desktop and locks the endpoint computer, disconnecting the virtual desktop
session. If the user unlocks the same endpoint computer, the virtual desktop opens but is locked. [AP-
17]
If Citrix Workspace app has been upgraded after configuring Imprivata OneSign to support Citrix
XenDesktop or Citrix XenApp, restart the endpoint computer. Failing to restart the endpoint can result in
unexpected behavior, which includes:
o The endpoint computer does not lock after the last application is closed.

o The Citrix Workspace app login window prompts users to authenticate, even when Citrix Fast Connect is
configured.
Restarting the endpoint computer resolves these issues. [AP-2907]
If Internet Explorer (IE) is deployed as a Microsoft RDS RemoteApp program, default IE behavior causes an
additional IE window to open each time the user session is roamed. For example:
1. User 1 logs into endpoint 1. IE is launched.
2. User 1 logs into endpoint 2. The first IE window is roamed and a second IE window opens.
3. User 1 logs into endpoint 3. The IE windows from the previous endpoints are roamed and a third IE
window opens. [AP-3005]
l Under certain circumstances, default VMware Horizon View behavior prevents users from being
automatically logged into a virtual desktop. The following describes this behavior:
1. A user starts the VMware View Horizon client, launches the virtual desktop, and is logged in
automatically.
2. The user locks the desktop, and then unlocks it.
3. The user disconnects from desktop, but does not close the client.
4. The user launches the same desktop again. VMware requires that the user log into the desktop.
This is expected behavior. Locking the desktop causes the VMware server to remove the SSO credentials.
Solution: Closing the client after disconnecting or restarting the client prevents the behavior. [AP-5032]
l When the following conditions are met, Citrix Fast User Switching fails for Citrix XenDesktop:
o The computer policy for the Citrix server is enabled for OneSign Ticket Authentication (Citrix or Ter-
minal Server tab > Authenticating generic user or anonymous Citrix XenApp or Terminal Server ses-
sions section).

© 2022 Imprivata, Inc. All Rights Reserved. 7

 o The computer policies for the Citrix server and the endpoint computers are configured to:
oAllow Fast User switching (Citrix or Terminal Server tab > Fast User Switching section)
o Override the Imprivata credential provider for log in and locking of Windows workstations (General

tab > Desktop experience section).

l Due to a Citrix issue, XenApp published applications that are configured to automatically launch may fail to
do so. Applications may fail to launch due to deadlock in wfcrun32.exe process.

Imprivata OneSign Single Sign-On

l On Windows 10, Auto Logon functionality will not work when Windows “Fast StartUp” option is enabled.
Windows “Fast StartUp” can be disabled through Control Panel->Power Options->"Turn on fast startup".
The “Fast Startup” checkbox is only available when hibernate is enabled
l On Windows 10, Imprivata agent login fails with Microsoft user account, presenting the Windows login
screen rather than the Imprivata login screen. Ensure that you are using a local or domain account.
l Single sign-on supports Google Chrome basic authentication dialogs profiled with native credentials
capture, explicit credential capture, and long-form credentials proxy. Native credentials proxy and short-
form credentials proxy are not currently supported. [RO-618]
l Google Chrome must be installed by a user with Windows administrator privileges to allow single sign-on
to function properly. After the Imprivata agent is installed, view Chrome Settings > Extensions: if the
Imprivata OneSign extension is not listed, a user with Windows administrator privileges must uninstall and
reinstall Chrome.
l Fast user switching is supported for OneSign users only. Applications to which users are entitled do not
close in the following workflow:
1. A non-OneSign user logs into an endpoint and launches an application.
2. The non-OneSign user locks the endpoint.
3. A second non-OneSign user unlocks the endpoint.
4. The application from the first non-OneSign user remains open, and as a result, could expose personal
health information. [AP-2719]

Authentication Management
l Allowing a beep on badge tap for nano proximity card readers requires access to the Microsoft Windows
speaker. As a result, under the following circumstances, users do not hear a beep when they tap their
badge:
o Windows single-user agent (Type 1) - The first time the computer starts, the reader does not beep on

initial logon.
o Windows single-user agent (Type 1) with multiple user desktops (MUD) - If the computer policy is

enabled for MUD, The reader beeps on log off only. The reader never beeps on log in.
l If a computer policy is configured to support smart card authentication on ProveID Embedded devices, the
setting does not take effect until the Imprivata agent is restarted. [MA-3269]

Prove ID SDK Support Change

l The C++ sample apps from previous Prove ID versions, or other C++ solutions created with Microsoft
Visual Studio 2010 or earlier, fail. This is because the current version of the SDK is based on Visual Source

© 2022 Imprivata, Inc. All Rights Reserved. 8

 2016. To work with the older samples, or other VSS 2010-based code, you must download the appropriate
Visual C++ Package for your environment from Microsoft.
For example — https://www.microsoft.com/en-us/download/details.aspx?id=13523. [OTP-843]
NOTE: This link may change without notice.

© 2022 Imprivata, Inc. All Rights Reserved. 9