Use ChromeOS devices with Imprivata OneSign

3. (Optional) Switch integration type

Next: 4. (Optional) Configure additional features

For managed ChromeOS devices.

ChromeOS offers three different integration types for Imprivata:

Shared managed guest session (default)—Shared kiosk workstation
Isolated managed guest session—Single user workstation
User session—Single user workstation

Compare integration types

	Shared managed guest session	Isolated managed guest session	User session
Recommended for	Shared devices with very frequent user switches	Shared devices with regular user switches or increased isolation needs	Shared devices with regular user switches or need for Google services Assigned devices
Session switching time	Very low	Low	Low for previous users of the device
Share apps across users / support of application internal user switching	Yes	No	No
In-session support of Google services, such as Chrome sync, single sign-on (SSO) to Workspace	No	No	Yes
On-device storage	Ephemeral	Ephemeral	Ephemeral or permanent
Security / User isolation	High (clean up)	Very high (full isolation)	Very high (full isolation)
Comparable Imprivata type	Type 2: Shared kiosk workstation	Type 1: Single user workstation	Type 1: Single user workstation
ChromeOS session type	Managed guest session	Managed guest session	User session

Choose your preferred integration type

Shared managed guest session

We recommend shared managed guest sessions for frequent user switches on ChromeOS devices. They allow instant access via Fast User Switching (FUS) on both the workstation and application level.

Read Imprivata's documentation about Fast User Switching.
Watch this video about Imprivata Agent Type 2—Shared Kiosk.

Users share a device session at the OS level. Upon a user switch, the ChromeOS Imprivata integration performs a clean-up of critical user data. The clean-up includes the following steps:

Close browser windows & clear browser data, such as cookies, history, site settings, and so on.
Uninstall and reinstall all apps & extensions that are not exempted by the Shared apps & extensions setting. See Step 3: Configure Imprivata extensions.
Delete local files.
Clear the copy and paste clipboard.

Isolated managed guest session

We recommend isolated managed guest sessions for less frequent user switches on ChromeOS devices. On every user switch, the previous user is signed out on the OS level, and a new user session is started for the next user.

Isolated managed guest sessions help to improve security via user isolation. However, it increases sign-in and sign-out times.

Watch this video about Imprivata Agent Type 1—Single User.

User sessions

Similar to isolated managed guest sessions, we recommend user sessions are recommended for less frequent user switches, and even for assigned devices.

User sessions let users personalize their experience, for example using monitor and keyboard settings. They allow access to services including Chrome sync, bookmarks, and password manager. User sessions offer instant SSO to all services that rely on Cloud Identity, such as Google Workspace.

Switch to isolated managed guest sessions

First, set up the default configuration for shared managed guest sessions, described in Set mandatory policies. Then, follow these steps to switch to isolated managed guest sessions:

Step 1: Change the configuration of the Imprivata login screen extension

Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
In the Admin console, go to Menu DevicesChromeSettingsDevice settings.
To apply the setting to all devices, leave the top organizational unit selected. Otherwise, select a child organizational unit.
Go to Imprivata.
Click Imprivata login screen integration.
Using a text editor, in the extension policy file, set the agentType to singleUser.
Upload the replacement extension policy file.
Click Save.

Step 2: Prevent shared workstation mode

In the Admin console, go to Menu DevicesChromeSettingsDevice settings.
To apply the setting to all devices, leave the top organizational unit selected. Otherwise, select a child organizational unit.
Go to Imprivata.
Click Shared kiosk mode.
Select Disable shared kiosk mode.
Click Save.

Step 3: (Optional) Stop sharing apps and extensions across users

In the Admin console, go to Menu DevicesChromeSettingsDevice settings.
To apply the setting to all devices, leave the top organizational unit selected. Otherwise, select a child organizational unit.
Go to Imprivata.
Click Shared apps & extensions.
Clear the list of extension IDs.
Click Save.

Switch to user sessions

First, set up the default configuration for shared managed guest sessions, described in Set mandatory policies. Then, follow these steps to switch to user sessions:

Step 1: Set up Google Workspace as Service Provider (SP)

In the Imprivata admin console:

In the Imprivata admin console, go to: Web app login configurationView and copy Imprivata (IdP) SAML metadata. The Imprivata IdP (Identity Provider) Metadata window opens.
Copy Imprivata’s IdP metadata: Entity ID, SSO (Sign-in page URL), SLO (Sign-out page URL).
Download the Imprivata IdP certificate.

In your Google Admin console:

Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
In the Admin console, go to Menu SecurityAuthenticationSSO with third party IdP.
Click Add SAML Profile.
Enter a name for the profile.
Fill in Imprivata's information that you already obtained from the Imprivata admin console—IDP entity ID, Sign-in page URL, and Sign-out page URL.
Enter a change password URL. Users will go to this URL, rather than the Google change password page, to reset their passwords.
Click Upload certificate, then locate and upload your Imprivata IdP certificate file.
Click Save.
In the SP Details section, copy and save the Entity ID and ACS URL of your newly created SAML SSO Profile.
Under Manage SSO profile assignments, assign your newly created SAML SSO profile to the organizational unit that you created for Imprivata user sessions.
Save your changes.

Step 2: Set up Imprivata as Identity Provider

Note: Imprivata only accepts the SP information via XML metadata. Google Workspace does not offer the possibility to download the metadata as an XML, so you'll need to build it manually.

Using the Entity ID and ACS URL that you just copied, manually build the XML metadata. See this sample XML metadata.
In the Imprivata admin console , go to ApplicationsSingle sign-on application profilesWeb Application using SAML.
Under Get SAML metadata:
1. Select From XML.
2. Upload the XML file that you downloaded or created.
Save the changes.
You'll be redirected to the OneSign single sign-on application profiles page where you will see the newly created SAML App Profile. Under Deployment status, it should show as Not Deployed.
Click Not Deployed.
Check the Deploy This Application? box.
Choose who you want to deploy the app to.
Click Save.

Step 3: Configure settings

Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
In the Admin console, go to Menu DevicesChromeSettingsDevice settings.
To apply the setting to all devices, leave the top organizational unit selected. Otherwise, select a child organizational unit.
Go to Imprivata.
Click Imprivata login screen integration.
In the extension policy file, using a text editor,:
1. Set agentType to singleUser.
  Note: ChromeOS user sessions do not work if agentType is set to sharedKiosk.
2. Set useSamlUserSessionsForSingleUserWorkstation to true.
3. Set ssoProfile" value to the rpid value from Entity ID.
  - For Example, if the Entity ID looks like https://accounts.google.com/samlrp/metadata?rpid=ABCxyz123, the ssoProfile is ABCxyz123.
Upload the replacement extension policy file.
Click Save.
In the Admin console, go to Menu DevicesChromeApps & extensionsUsers & browsers.
If you signed up for Chrome Browser Cloud Management, go to Menu Chrome browserApps & extensionsUsers & browsers.
Install Imprivata in-session extension, Citrix/VMware and Smart Cards Connector (if needed for prox card reader support) extensions. Use the same configuration as managed guest sessions. See Step 4: Configure virtual app and desktop solution.
In the Admin console, go to Menu DevicesChromeSettings. The User & browser settings page opens by default.
If you signed up for Chrome Enterprise Core, go to Menu Chrome browserSettings.
Go to Hardware.
Click WebUSB API allowed devices.
Enter the URL and PID/VID:
- URL: chrome-extension://omificdfgpipkkpdhbjmefgfgbppehke
- VID:PID:
  - 0C27:3BFA
  - 0C27:3B1E
Click Save.
Go to Power and shutdown.
For AC idle action, select Do nothing.
For Battery idle action, select Do nothing.
Click Save.
In the Admin console, go to Menu DevicesChromeSettingsDevice settings.
(Optional) Delete all locally-stored settings and user data from ChromeOS devices every time a user signs out.
1. Go to Sign-in settings.
2. Click User data.
3. Select Erase all local user data.
4. Click Save.

Google and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.

Was this helpful?

How can we improve it?