VAM. Epic epcs Value-Added Module (VAM) Deployment Guide

Similar documents
VAM. ADFS 2FA Value-Added Module (VAM) Deployment Guide

VAM. Radius 2FA Value-Added Module (VAM) Deployment Guide

OAM 2FA Value-Added Module (VAM) Deployment Guide

Introduction. SecureAuth Corporation Tel: SecureAuth Corporation. All Rights Reserved.

BEST PRACTICES GUIDE RSA MIGRATION MODULE

Electronically Prescribing Controlled Substances

BMC FootPrints 12 Integration with Remote Support

BEST PRACTICES GUIDE MFA INTEGRATION WITH OKTA

VAM. PeopleSoft Value-Added Module (VAM) Deployment Guide

VAM. CAS Installer (for 2FA) Value- Added Module (VAM) Deployment Guide

Integration Guide. SecureAuth

Device Recognition Best Practices Guide

CA Service Desk Integration with Remote Support

Guide to Deploying VMware Workspace ONE. VMware Identity Manager VMware AirWatch 9.1

Guide to Deploying VMware Workspace ONE with VMware Identity Manager. SEP 2018 VMware Workspace ONE

Verizon Registration Process:

Microsoft Dynamics CRM Integration with Remote Support

<Partner Name> <Partner Product> RSA SECURID ACCESS. VMware Horizon View 7.2 Clients. Standard Agent Client Implementation Guide

Verizon Registration Process:

Guide to Deploying VMware Workspace ONE. DEC 2017 VMware AirWatch 9.2 VMware Identity Manager 3.1

<Partner Name> <Partner Product> RSA SECURID ACCESS Implementation Guide. Pulse Connect Secure 8.x

Microsoft Dynamics CRM Integration with Bomgar Remote Support

Electronic Prescribing of Controlled Substance (EPCS) Registration Single Provider Process

JIRA Integration Guide

RED IM Integration with Bomgar Privileged Access

HEAT Software Integration with Remote Support

VMware AirWatch Integration with SecureAuth PKI Guide

Health Analyzer VAM Best Practices Guide

SET UP GUIDE. Easy Dental eprescribe

Integrating AirWatch and VMware Identity Manager

Integrate HEAT Software with Bomgar Remote Support

SecureAuth IdP Realm Guide

.NET SAML Consumer Value-Added (VAM) Deployment Guide

Echidna Concepts Guide

Two factor authentication for Microsoft Remote Desktop Web Access

One Identity Starling Two-Factor Desktop Login 1.0. Administration Guide

ServicePass Installation Guide SurePassID Authentication Server 2017

Authlogics Forefront TMG and UAG Agent Integration Guide

SIEM Tool Plugin Installation and Administration

Integration Guide. PingFederate SAML Integration Guide (SP-Initiated Workflow)

External Authentication with Checkpoint R77.20 Authenticating Users Using SecurAccess Server by SecurEnvoy

NetIQ Advanced Authentication Framework - Virtual Desktop Authentication (VDA) Shell. User's Guide. Version 5.1.0

Integration Guide. LoginTC

Electronic Prescribing for Controlled Substances. EPCS with NewCrop e-prescribing Identity Proofing with Exostar. Setup and User Guide

Migrate Data from Cisco Secure ACS to Cisco ISE

<Partner Name> <Partner Product> RSA SECURID ACCESS. Pulse Secure Connect Secure 8.3. Standard Agent Client Implementation Guide

isupplier Portal Registration & Instructions Last Updated: 22-Aug-17 Level 4 - Public INFRASTRUCTURE MINING & METALS NUCLEAR, SECURITY & ENVIRONMENTAL

Integrated for Océ Setup Guide

RHS EPCS Webinar 1 of 3

Bomgar SIEM Tool Plugin Installation and Administration

Embedded for Xerox EPA-EIP Setup Guide

Yubico with Centrify for Mac - Deployment Guide

Aventail Connect Client with Smart Tunneling

Equitrac Embedded for Sharp OSA. Setup Guide Equitrac Corporation

Equitrac Embedded for Kyocera Mita. Setup Guide Equitrac Corporation Equitrac Corporation

SurePassID Local Agent Guide SurePassID Authentication Server 2016

Choosing the right two-factor authentication solution for healthcare

BMC Remedy Integration with Remote Support

SAML-Based SSO Configuration

Centrify for Dropbox Deployment Guide

IAG Second Factor Delivery Methods

SailPoint IdentityIQ 6.4

DigitalPersona Pro Enterprise

User guide NotifySCM Installer

DreamFactory Security Guide

External Authentication with Ultra Protect v7.2 SSL VPN Authenticating Users Using SecurAccess Server by SecurEnvoy

The Benefits of EPCS Beyond Compliance August 15, 2016

USER MANUAL ID PROOFING AND TWO-FACTOR AUTHENTICATION THROUGH FALCON PHYSICIAN TABLE OF CONTENTS

Enabling Smart Card Logon for Linux Using Centrify Suite

New World ERP-eSuite

Barracuda Networks SSL VPN

AppController :21:56 UTC Citrix Systems, Inc. All rights reserved. Terms of Use Trademarks Privacy Statement

Deliver and manage customer VIP POCs. The lab will be directed and provide you with step-by-step walkthroughs of key features.

SAML-Based SSO Configuration

VAM. Java SAML Consumer Value- Added Module (VAM) Deployment Guide

Remote Deposit. Getting Started Guide

Setting Up Resources in VMware Identity Manager (On Premises) Modified on 30 AUG 2017 VMware AirWatch 9.1.1

Caradigm Single Sign-On and Context Management RSA Ready Implementation Guide for. Caradigm Single Sign-On and Context Management 6.2.

SPNEGO SINGLE SIGN-ON USING SECURE LOGIN SERVER X.509 CLIENT CERTIFICATES

MyClinic. Password Reset Guide

Deploying VMware Workspace ONE Intelligent Hub. October 2018 VMware Workspace ONE

Bechtel Partner Access User Guide

Pulse Workspace Appliance. Administration Guide

VMware Identity Manager Administration. MAY 2018 VMware Identity Manager 3.2

SOA Software API Gateway Appliance 6.3 Administration Guide

SurePassID ServicePass User Guide. SurePassID Authentication Server 2017

VMware Identity Manager Connector Installation and Configuration (Legacy Mode)

HOTPin Software Instructions. Mac Client

Managed Access Gateway. User Guide

DigitalPersona for Healthcare Organizations

VMware Identity Manager Administration

Pulse Secure Policy Secure

Installing and Configuring vcloud Connector

Setting Up Resources in VMware Identity Manager

Equitrac Integrated for Océ

Single Secure Credential to Access Facilities and IT Resources

Managed Access Gateway. User Guide

MyFloridaNet-2 (MFN-2) Customer Portal/Password Management Reference Guide

Two factor authentication for WatchGuard XTM and Firebox IPSec

VMware Identity Manager Cloud Deployment. DEC 2017 VMware AirWatch 9.2 VMware Identity Manager

Transcription:

VAM Epic epcs Value-Added Module (VAM) Deployment Guide

Copyright Information 2018. SecureAuth is a registered trademark of SecureAuth Corporation. SecureAuth s IdP software, appliances, and other products and solutions are copyrighted products of SecureAuth Corporation. Version 1.0 For information on support for this module, contact your SecureAuth support or sales representative: Email: support@secureauth.com inside-sales@secureauth.com Phone: +1.949.777.6959 or +1-866- 859-1526 Website: https://www.secureauth.com/support https://www.secureauth.com/contact 2

Table of Contents Introduction... 4 Features... 4 Process Flow Example... 5 Use Examples... 6 Soft-Token epcs Second Factor... 6 Soft-Token epcs with Password... 7 Push-to-Accept epcs... 7 Installation... 10 Epic Configuration... 11 IdP Configuration... 11 Testing... 14 Best Practices... 16 Update Warning... 16 3

Introduction SecureAuth s Epic epcs Value-Added Module (VAM) enables seamless integration between SecureAuth IdP s Multi-Factor Authentication (MFA) and Epic s Hyperspace platform for the E-Prescribing of Controlled Substances (epcs) system. Using this integrated package, qualified physicians can write prescriptions quickly and securely while meeting DEA requirements for e-prescribing. This guide also includes instructions on installing and configuring the VAM that enables the link between Epic Hyperspace and SecureAuth IdP. Why select SecureAuth IdP? SecureAuth s flexible authentication framework allows providers to deploy DEA compliant Two-Factor Authentication (2FA) in ways that are not intrusive on physicians; and in many cases SecureAuth can actually optimize workflows by reducing clicks. Its aim is to provide the quickest way to ensure that the accessing physician is the one authorized to approve the prescription, per DEA standards. Features + Seamless integration into preexisting Epic e-prescribing workflows + Multiple authentication methods that not only meet DEA regulation but make 2FA easy for physicians such as push-to-accept, fingerprint, and other DEA-compliant methods + Flexible authentication platform that allows providers to select the 2FA method which best conforms to workflow requirements for e-prescribing 4

Process Flow Example The process flow using the Epic epcs VAM is shown in Figure 1. Physician logs into Hyperspace Physician is prompted to perform DEAcompliant 2FA authentication Enter SecureAuth IdP Physician is prompted for admin- approved 2FA If authorization is successful, prescription is finalized and submitted Physician supplies 2FA (e.g. P2Accept, mobile token, hard token) FIGURE 1. Process Flow Example Using Epic epcs 5

Use Examples Soft-Token epcs Second Factor The following example illustrates a commonly-deployed 2FA method that utilizes mobile devices featuring FIPS 140-2-compliant One-Time-Password (OTP) tokens. This method is easy for the physicians to use, and because of its FIPS 140-2 compliance, it meets the DEA s requirement for 2FA. In this example: 1. The physician enters his/her user name. The physician is prompted for a method to receive the required passcode. The passcode is sent by way of the specified device. 2. The physician enters the received passcode then presses Enter. The physician has entry to the epcs system. 6

Soft-Token epcs with Password In a variation on the first example, the process requires the physician to perform soft-token epcs second factor as shown in the following illustration examples (using both a password and a passcode): The physician is then required to submit their fingerprint to the fingerprint touch screen before entrance to the system is allowed. 1. The physician enters a user name. The physician is prompted for a method to receive the required passcode. The passcode is sent by way of the designated device. 2. The physician enters the received passcode then presses Enter. The physician is prompted to present their fingerprint at the fingerprint touch reader. The reader can be on an attached dedicated reader, a desktop computer, a laptop, or a smart phone. 3. The physician presents their fingerprint to the reader. Reading a fingerprint is compliant with the FIPS 140-2 standard. The epcs data is accessible to the physician. Push-to-Accept epcs To comply with DEA requirements while providing the quickest possible access, SecureAuth IdP also features push-to-accept with TouchID for epcs authentication. Many providers are moving to push-to-accept with TouchID because it not only reduces the number of clicks and character entries a physician has to perform, but also incorporates all three of the authentication factors identified by the DEA: 7

+ Something you know (username/password) + Something you have (mobile device) + Something you are (fingerprint for TouchID) An example of the process required to perform push-to-accept epcs 2FA is shown in the following illustration example: Essentially, the path is: 1. The physician opens the application on his/her smart phone or other PC. The application prompts the prospective physician for authentication. At the same time, the secondary device is activated. 2. The physician pushes a button on the device to accept the request for entry. The application allows entry to the required data. 8

If Push-to-Accept is used with accounts that have multiple registered mobile devices, a screen appears with a list of mobile devices from which the user can select, as shown below. 9

Installation To configure SecureAuth IdP for the Epic epcs VAM: 1. Designate a realm in your SecureAuth appliance to provide API access to the SecureAuth Epic epcs VAM. 2. Follow the steps provided in https://docs.secureauth.com/x/sgljag to enable the Authentication API. 3. Set the realm designated for the Authentication API to enable access to the profile attribute that stores the OATH seed for the OTP. Make sure the Data tab of the API realm has the proper profile attributes and the OATH OTP registration method is configured. To install and configure the Epic epcs VAM: 1. Copy the provided ZIP file to a temporary location on the server running Epic Hyperspace. This is usually a server that can be accessed using a virtual desktop infrastructure (VDI). 2. Extract the provided ZIP archive to the same temporary location on the server. 3. Copy the SecureAuth folder contained in the extracted ZIP archive to the C: drive root. 4. Open the SecureAuth folder, now located at C:\SecureAuth\, and run the RegisterSALoginDevice.bat as an Administrator. This will add SecureAuthLoginDevice.dll to the server s code base. NOTE: By executing this.bat file, this SecureAuth Epic epcs VAM is automatically registered on the Citrix server, enabling you to bypass regsvr32 for this DLL. 5. Open SASettings.xml using Notepad or a comparable text editor and modify the following settings: SecureAuthAPIUrl epcsurl AppID AppKey Retry The URL used to access the Authentication API realm defined in the SecureAuth Configuration. It must be accessible by HTTPS and the certificate used to serve the SSL connection must be trusted by the Epic Hyperspace server. References the local host running Epic Hyperspace. This URL should not be changed. The AppID provided by the Authentication API settings in the SecureAuth appliance as defined by the Authentication API realm defined above. The AppKey provided by the Authentication API settings in the SecureAuth appliance as defined by the Authentication API realm defined above. Indicates the number of attempts a user has to correctly enter his/her OTP before the Epic epcs VAM returns to Epic and fails to authenticate the message. 10

LogLevel WindowTitle RequirePassword LogoPath EnablePush PreferStaticPin The default value should be set to 0 which turns off logging. Do not change this value unless instructed to do so by a SecureAuth Engineer. Indicates the title text that will display on the Epic epcs VAM dialog box. If set to 1, the user will be required to enter their password for the configured data store in the Authentication API realm when using the Epic epcs VAM. Specifies the full path on the disk of the custom logo image displayed in the Epic epcs VAM. For example: C:\SecureAuth\logo.png Enables Push-to-Accept as the second factor method as provided by the Epic epcs VAM. To enable, set this value to 1. The default value is 0 (push-to-accept disabled). If the Push-to-Accept method is used with accounts that have multiple registered mobile devices, the software will display a list of devices from which the user can select. + If no devices are found, the software will notify the user + If only one device is found, it will automatically send the push request without waiting for a selection Enables or disables the static PIN feature. If set to 0, it indicates the use of TOTP (OATH) token. If set to 1, it enables the use of a static PIN. If this feature is enabled and the user has a static PIN, it will verify against the static PIN. If no PIN is found for the user, it will default to using a standard TOTP token. 6. Save the SASettings.xmlfile. Epic Configuration Follow the Epic documentation for the steps required to add a new authentication provider. Epic will ask for the Login Device Programmatic ID (Pronged). Add this value to that field: SecureAuthLoginDevice.Receiver. NOTE: Epic documentation is only available to registered customers. The documents section only appears once the user has signed in. IdP Configuration Configuring SecureAuth IdP for use with Epic epcs involves the creation of a realm dedicated to handling the necessary API instructions. NOTE: Configuring SecureAuth IdP for use with Epic epcs should be handled, at least initially, by the SecureAuth deployment staff and should not be the client s responsibility. To create an API-specific realm, do this: 1. Open SecureAuth IdP Web Admin. Make sure you have an on-premises directory with which SecureAuth IdP can integrate. 11

2. Create a new realm in which the API instructions will be enabled. For detailed instructions on doing this, refer to the SecureAuth IdP Realm Guide. 3. Click the Data tab, configure the required fields, then click Save. A directory integration is required for SecureAuth IdP to pull user profile information during the login process. 4. Click the API tab and scroll down to the API Key section. 5. Check Enable API for this realm box. 6. Click the Generate Credentials button to create a new Application ID and Application Key. The Application ID and Application Key are unique per realm. NOTE: The API key looks like it is comprised of 64 random characters, but it is actually composed of 32 two-character hexadecimal values. This is important when using the API key to produce the required HMAC hash. 7. Click the Select & Copy button to copy the contents from the fields. These values will be required in the HTTP Header configuration. 8. Scroll down to the API Permissions section. 9. Check the Enable Authentication API box. 10. If required, check one or more Identity Management tools to include in the API. 12

User management add, update, and retrieve users and their properties Administrator initiated password reset User self-service password change User & group association (LDAP) Use this tool to add new user profiles, and to retrieve and update existing user profiles. Updating a user profile includes setting and/or clearing property values in the user profile. Use this tool to let an administrator send the end-user a new password requested via an application. Use case scenario: the end-user requests a new password because the current one has been forgotten. Use this tool to let the end-user enter both the current password and create a new password. This tool is used in conjunction with the administrator-initiated password reset option: the end-user enters the password sent by the administrator (the current password) then enters a new password. Use this tool to enable associations between existing users and groups within the LDAP data store. 11. Click Save. A more detailed discussion of API configuration, HTTP header formation, and optional configurations can be found on-line in the Authentication API Guide. 13

Testing Epic provides a standalone.net Testing tool that can be used to verify that the Epic epcs VAM is working before adding it into Hyperspace s configuration. The steps below outline how to use the tool. 1. From the SecureAuth folder, open the Test folder. 2. Click to initiate the StandAloneNETTester.exe file. The following window appears: Enter the value SecureAuthLoginDe vice.receiver in the ProgID field 3. In the ProgID field, enter: SecureAuthLoginDevice.Receiver. 4. Click Authenticate. A Request Form window like this example appears. 14

5. In the Key field, enter: UserID. 6. In the Value field, enter the username for the user to be tested. 7. Click the Add Data button. 8. Click the Return True button. The Epic epcs VAM appears. If the device completes successfully, the Results field on the Main Form updates with a success; otherwise the Results field displays a Perform Action Failed condition. 15

Best Practices There are only a few points to consider when evaluating best practices for the Epic epcs tool: + Make sure your Citrix server is configured and running properly. For information on doing this, refer to your Citrix user guide. + Make sure to run the RegisterSALoginDevice.bat file to automatically register the SecureAuthLoginDevice.dll file. Update Warning The process of updating SecureAuth IdP software to a newer version may cause the SecureAuth Epic epcs module to become invalid and the adapter itself to stop working. Until this feature is included in the main product, these customizations will need to be merged into any future updates. Please contact tailoringfrontline@secureauth.com before making any updates. 16

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback