Use ChromeOS devices with Imprivata OneSign

3. (Optional) Switch integration type

For managed ChromeOS devices.

ChromeOS offers three different integration types for Imprivata:

  • Shared managed guest session (default)—Shared kiosk workstation
  • Isolated managed guest session—Single user workstation
  • User session—Single user workstation

Compare integration types

  Shared managed guest session Isolated managed guest session User session
Recommended for

Shared devices with very frequent user switches

Shared devices with regular user switches or increased isolation needs

Shared devices with regular user switches or need for Google services

Assigned devices

Session switching time Very low Low Low for previous users of the device
Share apps across users / support of application internal user switching Yes No No
In-session support of Google services, such as Chrome sync, single sign-on (SSO) to Workspace No No Yes

On-device storage

Ephemeral Ephemeral Ephemeral or permanent

Security / User isolation

High (clean up) Very high (full isolation) Very high (full isolation)

Comparable Imprivata type

Type 2: Shared kiosk workstation Type 1: Single user workstation Type 1: Single user workstation

ChromeOS session type

Managed guest session

Managed guest session

User session

Choose your preferred integration type

Shared managed guest session

We recommend shared managed guest sessions for frequent user switches on ChromeOS devices. They allow instant access via Fast User Switching (FUS) on both the workstation and application level.

Users share a device session at the OS level. Upon a user switch, the ChromeOS Imprivata integration performs a clean-up of critical user data. The clean-up includes the following steps:

  • Close browser windows & clear browser data, such as cookies, history, site settings, and so on.
  • Uninstall and reinstall all apps & extensions that are not exempted by the Shared apps & extensions setting. See Step 3: Configure Imprivata extensions.
  • Delete local files.
  • Clear the copy and paste clipboard.

Isolated managed guest session

We recommend isolated managed guest sessions for less frequent user switches on ChromeOS devices. On every user switch, the previous user is signed out on the OS level, and a new user session is started for the next user.

Isolated managed guest sessions help to improve security via user isolation. However, it increases sign-in and sign-out times.

User sessions

Similar to isolated managed guest sessions, we recommend user sessions are recommended for less frequent user switches, and even for assigned devices.

User sessions let users personalize their experience, for example using monitor and keyboard settings. They allow access to services including Chrome sync, bookmarks, and password manager. User sessions offer instant SSO to all services that rely on Cloud Identity, such as Google Workspace.

Switch to isolated managed guest sessions

First, set up the default configuration for shared managed guest sessions, described in Set mandatory policies. Then, follow these steps to switch to isolated managed guest sessions:

Step 1: Change the configuration of the Imprivata login screen extension

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Devicesand thenChromeand thenSettingsand thenDevice settings.
  3. To apply the setting to all devices, leave the top organizational unit selected. Otherwise, select a child organizational unit.
  4. Go to Imprivata.
  5. Click Imprivata login screen integration.
  6. Using a text editor, in the extension policy file, set the agentType to singleUser.
  7. Upload the replacement extension policy file.
  8. Click Save.

Step 2: Prevent shared workstation mode

  1. In the Admin console, go to Menu and then Devicesand thenChromeand thenSettingsand thenDevice settings.
  2. To apply the setting to all devices, leave the top organizational unit selected. Otherwise, select a child organizational unit.
  3. Go to Imprivata.
  4. Click Shared kiosk mode.
  5. Select Disable shared kiosk mode.

  6. Click Save.

Step 3: (Optional) Stop sharing apps and extensions across users

  1. In the Admin console, go to Menu and then Devicesand thenChromeand thenSettingsand thenDevice settings.
  2. To apply the setting to all devices, leave the top organizational unit selected. Otherwise, select a child organizational unit.
  3. Go to Imprivata.
  4. Click Shared apps & extensions.
  5. Clear the list of extension IDs.

  6. Click Save.

Switch to user sessions

First, set up the default configuration for shared managed guest sessions, described in Set mandatory policies. Then, follow these steps to switch to user sessions:

Step 1: Set up Google Workspace as Service Provider (SP)

In the Imprivata admin console:

  1. In the Imprivata admin console, go to: and thenWeb app login configurationand thenView and copy Imprivata (IdP) SAML metadata. The Imprivata IdP (Identity Provider) Metadata window opens.
  2. Copy Imprivata’s IdP metadata: Entity ID, SSO (Sign-in page URL), SLO (Sign-out page URL).
  3. Download the Imprivata IdP certificate.

In your Google Admin console:

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Securityand thenAuthenticationand thenSSO with third party IdP.
  3. Click Add SAML Profile.
  4. Enter a name for the profile.
  5. Fill in Imprivata's information that you already obtained from the Imprivata admin console—IDP entity ID, Sign-in page URL, and Sign-out page URL.
  6. Enter a change password URL. Users will go to this URL, rather than the Google change password page, to reset their passwords.
  7. Click Upload certificate, then locate and upload your Imprivata IdP certificate file.
  8. Click Save.
  9. In the SP Details section, copy and save the Entity ID and ACS URL of your newly created SAML SSO Profile.
  10. Under Manage SSO profile assignments, assign your newly created SAML SSO profile to the organizational unit that you created for Imprivata user sessions.
  11. Save your changes.

Step 2: Set up Imprivata as Identity Provider

Note: Imprivata only accepts the SP information via XML metadata. Google Workspace does not offer the possibility to download the metadata as an XML,  so you'll need to build it manually.

  1. Using the Entity ID and ACS URL that you just copied, manually build the XML metadata. See this sample XML metadata.
  2. In the Imprivata admin console , go to Applicationsand thenSingle sign-on application profilesand thenWeb Application using SAML.
  3. Under Get SAML metadata:
    1. Select From XML.
    2. Upload the XML file that you downloaded or created.
  4. Save the changes.
  5. You'll be redirected to the OneSign single sign-on application profiles page where you will see the newly created SAML App Profile. Under Deployment status, it should show as Not Deployed.
  6. Click Not Deployed.
  7. Check the Deploy This Application? box.
  8. Choose who you want to deploy the app to.
  9. Click Save.

Step 3: Configure settings

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Devicesand thenChromeand thenSettingsand thenDevice settings.
  3. To apply the setting to all devices, leave the top organizational unit selected. Otherwise, select a child organizational unit.
  4. Go to Imprivata.
  5. Click Imprivata login screen integration.
  6. In the extension policy file, using a text editor,:
    1. Set agentType to singleUser.
      Note: ChromeOS user sessions do not work if agentType is set to sharedKiosk.
    2. Set useSamlUserSessionsForSingleUserWorkstation to true.
    3. Set ssoProfile" value to the rpid value from Entity ID.
      • For Example, if the Entity ID looks like https://accounts.google.com/samlrp/metadata?rpid=ABCxyz123, the ssoProfile is ABCxyz123.
  7. Upload the replacement extension policy file.
  8. Click Save.
  9. In the Admin console, go to Menu and then Devicesand thenChromeand thenApps & extensionsand thenUsers & browsers.

    If you signed up for Chrome Browser Cloud Management, go to Menu and then Chrome browserand thenApps & extensionsand thenUsers & browsers.

  10. Install Imprivata in-session extension, Citrix/VMware and Smart Cards Connector (if needed for prox card reader support) extensions. Use the same configuration as managed guest sessions. See Step 4: Configure virtual app and desktop solution.
  11. In the Admin console, go to Menu and then Devicesand thenChromeand thenSettings. The User & browser settings page opens by default.

    If you signed up for Chrome Enterprise Core, go to Menu and then Chrome browserand thenSettings.

  12. Go to Hardware.
  13. Click WebUSB API allowed devices.
  14. Enter the URL and PID/VID:
    • URL: chrome-extension://omificdfgpipkkpdhbjmefgfgbppehke
    • VID:PID:
      • 0C27:3BFA
      • 0C27:3B1E
  15. Click Save.
  16. Go to Power and shutdown.
  17. For AC idle action, select Do nothing.
  18. For Battery idle action, select Do nothing.
  19. Click Save.
  20. In the Admin console, go to Menu and then Devicesand thenChromeand thenSettingsand thenDevice settings.
  21. (Optional) Delete all locally-stored settings and user data from ChromeOS devices every time a user signs out.
    1. Go to Sign-in settings.
    2. Click User data.
    3. Select Erase all local user data.
    4. Click Save.

Google and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.

Was this helpful?

How can we improve it?
Search
Clear search
Close search
Google apps
Main menu
16739979675244047733
true
Search Help Center
true
true
true
true
true
410864
false
false