Imprivata Mobile Access Management can be configured to use SAML to provision and authenticate users against your Identity Provider, such as Microsoft Entra ID (formerly Azure AD).
Mobile Access Management takes the role of a Service Provider (SP) and you provide a system to serve as Identity Provider (IdP). No credentials are exchanged during the setup process. Instead, a trusted relationship is established between the two services.
Overview
This authentication works to the Mobile Access Management admin console and to the Launchpad app. SAML keeps passwords internal to your network, making Mobile Access Management more secure. At the same time SAML leverages single-sign on, providing a better login experience for users.
Microsoft Entra ID is used only for user authentication. Authorization — assigning users to Mobile Access Management roles — is still handled within the MAM admin console.
When the user launches Mobile Access Management from their IdP, like for example myapps.microsoft.com (Microsoft Entra ID), then the user will be generated at that time in Mobile Access Management with the default role defined in the Admin settings.
There is only one default role for accounts automatically created this way, but a user’s role can be modified manually after the user is created. Manually add new users and assign them to a role using the Team page. If a user has no role, they will see an error when attempting to log in with SAML.
User Invitations
Imprivata Mobile Access Management handles new user creation differently for SAML–enabled organizations. The differences are visible in Admin > Team.
- The Reset Password button is greyed out, because passwords are managed by your identity provider.
- The New user process does not send an email to the new user.
You are responsible for letting new users know how to log into their Mobile Access Management account.
IdP and SP Metadata
Mobile Access Management (as the SP) and your Identity Provider (the IdP) need metadata from each other. Open both consoles at the same time and import the metadata. The most common method of providing IdP metadata to an SP is via an XML file. Mobile Access Management can also accept a URL where IdP metadata can be retrieved, and also specifying the metadata values manually.
- In the GroundControl admin console, navigate to Admin > SAML.
- Switch the SAML Single Sign-on setting to ON. The Configure SAML Single Sign-on dialog opens.
- In Identity Provider Display Name box, type a user-friendly display name for the Identity Provider (IdP).
- In the Provide GroundControl Metadata XML to your Identity Provider section, copy the file to your workstation.
- In your IdP’s admin console:
- Export the IdP metadata XML file to your workstation.
- Upload the GroundControl metadata file saved from step 3. Alternately, enter the GroundControl URL and metadata values manually and save the configuration.
- If required, copy the IdP’s metadata URL and/or metadata XML contents for use in GroundControl.
- In the Mobile Access Management dialog, upload the IdP metadata XML or paste the metadata URL or XML contents:
- To upload the metadata XML file exported from the IdP, click Upload XML file and browse to the location. Click Upload. The metadata XML file is uploaded to Mobile Access Management.
- To use a metadata URL from the IdP, click Paste Metadata URL and paste the URL.
- To use the contents of the XML from the IdP, click Paste XML contents and paste the contents of the IdP’s metadata XML.
- Click Save.
Mobile Access Management – Configure Additional SAML Settings
In the MAM admin console, configure additional SAML settings:
- To set up automatic user creation, where new users are automatically assigned a role, switch the Auto-create user after SAML authentication to ON.
- Select the default role to be assigned for automatically created users.
- To require SAML for the MAM admin console, switch the Require SAML for GroundControl admin console to ON.
SAML can be mandatory for the MAM admin console, or you can allow traditional usernames and passwords alongside SAML.
Typically, customers keep SAML optional during testing, then switch to mandatory for production use. - To require SAML for Launchpads, switch the Require SAML for Launchpads to ON. Many customers continue using username/password for Launchpads, even when the MAM admin console uses SAML, because Launchpads configured for SAML prompt for user/password every time the app launches. This interrupts automatic start. On the other hand, Launchpad configured without SAML downloads a token and launch without a prompt.
- In the Maximum authentication lifetime (in hours) box, type a value between 1 and 168 to specify the amount of time (in hours) users have before they have to reauthenticate.
SAML Certificate
Organizations can use the default Mobile Access Management SAML certificate. To make refreshing this certificate easier, you can set an organization-specific certificate.
Create a Certificate
Creating a certificate generates a new service provider automatically; by default it will be inactive. You must copy the Mobile Access Management metadata XML into your Identity Provider (IdP) before activating the new certificate.
Activating a new certificate deactivates the currently active certificate. Only one certificate may be active at a time.
- Click Create Certificate.
- In the Active column, click the Active button for the certificate you wish to activate. The Make Certificate Active? dialog opens.
- Click the URL to copy the Mobile Access Management metadata XML for use in your IdP before activating the new certificate.
- In your IdP admin console, update the Mobile Access Management metadata XML and save.
- In MAM, click Make Active to activate the certificate.
Delete a Certificate
In the SAML Certificate list, click the delete icon next to an inactive certificate and confirm the deletion.
Certificate Expiration
Beginning 60 days before the SAML certificate expires, the MAM Admin Console displays an alert warning of the expiration. The banner is only displayed when the active SAML certificate is expiring.