Breaking Down the Passwordless Barrier

Authors: Sean Connolly, Joe Rainone, Josh Tacey

As members of the consulting organization at VMware, we have worked across many different industries, verticals and customers, both big and small. Healthcare organizations are distinct from every other business. They have unique applications, scenarios and challenges. The healthcare industry is ever-changing fueled by constant medical discoveries. On top of this, physicians, nurses, pharmacists, lab technicians and more are working around the clock, 365 days a year, to keep us healthy. The technology healthcare heroes use must be agile and user-friendly so as not to interfere with their mission. For example, quick and easy access to electronic medical records (EMR) is key, which is why VMware architected Mobile Single Sign-On for the Epic mobile applications.

When technology succeeds, so does patient care

Technology should make people’s lives easier, not complicate them. Healthcare workers typically have to enter their passwords many times a day across dozens of workstations. VMware works day in and day out to break down these barriers with one login to replace many. A great example of this is how VMware Horizon works alongside Imprivata, a digital identity management firm. Combining these two technologies allows healthcare workers to sign into their desktops with a tap of their badge. Just a quick tap and healthcare workers can get straight to business, allowing them more time to focus on patients and less time on administrative tasks. VMware Professional Services delivers this solution to dozens of facilities across the country.

The technology landscape is changing and with that change comes the demand for the healthcare industry to adapt. The advent of mobility and the proliferation of tablets and smartphones are making laptops and desktops more and more a thing of the past for on-the-go healthcare workers. While tablets and phones allow nurses and doctors to become mobile and treat their patients at their bedside, technologies like Touch ID and Face ID may unlock a device, but they don’t necessarily give enterprise applications the credentials and identity verification they need. 

While securing electronic protected health information (ePHI) is critical, the need for security often causes frustration. Constantly entering pin codes or passwords slows patient care and causes resistance to technology adoption. We saw this frustration firsthand at a variety of our healthcare customers. Mobile devices go into the hands of clinicians, and they would turn around and suffer from password fatigue.

Architecting a solution for password fatigue

VMware’s EUC Professional Services delivers no touch single sign-on to VMware Workspace ONE Unified Endpoint Management managed devices in the form of Mobile SSO. We configure Mobile SSO for applications like Outlook, Teams, Slack, Salesforce, Zoom, WebEx and VMware’s own Productivity Suite. Mobile SSO is compatible with practically any application that supports SAML or OIDC. The experience follows the workflow below:

1. User unlocks device with Face ID or equivalent
2. User opens app
3. App redirects to VMware Workspace ONE Access
4. The device provides the user’s certificate (simplified) without user interaction
5. Workspace ONE Access issues token to app
6. User is logged into app

Steps 3-6 take seconds to complete. The process is quick and seamless and requires no end user interaction. The app opens, the user is logged-in and the app just works. Workspace ONE UEM issues policies to the device, such as passcode, lock screen timeout, encryption and DLP, and binds a certificate to the end-user who enrolled. Access acts as a broker for authentication. It is secure for IT and simple for the end user.

This technology presents an opportunity to simplify and provide relief of entering passwords multiple times for multiple applications on the same device. The VMware EUC Healthcare Professional Services team took to the task of integrating with Epic. VMware’s Workspace ONE UEM and Access work in tandem with Epic to provide single sign-on for Epic’s mobile applications such as Rover, Haiku and Canto. This solution is cutting-edge and the first of its kind for mobile clinical applications. We worked alongside Epic to implement this solution across multiple hospitals. The video below shows the technology in action.

The technical details of the solution

Here’s an overview of the pieces and how they flow and interact.

A deep dive into the components of this solution

Component 1: Workspace ONE Access OIDC Application/OAuth2.0

• Pro-tip from the field:
  • To generate unique Client ID and Client Secret: Go to Catalog -> Settings -> Remote App Access. Click “Create Client” and click “Generate Shared Secret” and copy that value twice for each Epic mobile app. Close this window once you’ve copied enough values.
• Create new web app type of OpenID Connect with the name and description of the Epic mobile application and environment. For example: PROD – Epic Haiku or DEV – Epic Rover. The important parameters are explained below:
  • Target URL: https://NotUsed.com
  • Redirect URL: https://Placeholder.com
  • Client ID: {one of the unique values generated above}
  • Client Secret: {another one of the unique values generated above}
  • Open in WS1 web: No
  • Show in user Portal: No
  • Save and assign to ALL users or a group allowed to access this Epic app
• Edit the OAuth2.0 Client properties to support the Epic mobile application
  • Go to Catalog -> Settings -> Remote App Access
  • Find the OAuth2 client just created, listed by Client ID
  • Edit and update the SCOPE to just User and OpenID
  • Edit and update the client configuration
    • Redirect URI: This is different per mobile app, here is a non-exhaustive list:
      • epicrover://login/oauth2
      • epichaiku://login/oauth2
      • epiccanto://login/oauth2
      • epicrevor://login/oauth2
      • epicukiah://login/oauth2
      • epicotnac://login/oauth2
    • Access TTL: This is the time in which the application can be opened just by Face ID or Touch ID after the no-touch Mobile SSO authentication. This can be edited to be five minutes or five years. Our suggestion is work with your security team. A balanced number of one hour to four hours makes sense. After the TTL, the app will need to reauthenticate (just a five second process), but in doing so will validate the device is still used by a valid user and up to date with compliance policies.

Component 2: Workspace ONE Access Policy

• It is recommended to create a new Access Policy and assign your Epic OIDC apps rather than use the Default Access Policy. This allows more flexibility in authentication levels.
• This is where you can have different rules for on-network vs. off-network, add MFA or enforce only UEM-managed devices can access this application.
• An example recommended policy could be:

Component 3: Epic eConfig file

• This file tells Haiku, Rover and Canto how to behave and support OAuth2.0.
• Use the Epic Mobile Configurator Editor to add the following requirement properties:
  • OAUTH2.AUTHORIZATION_ENDPOINT: https://ws1access_url/SAAS/auth/oauth2/authorize
  • OAUTH2.TOKEN_ENDPOINT: https://ws1access_url/SAAS/auth/oauthtoken
  • OAUTH2.CLIENT_ID: {Client ID configured in WS1 Access}
  • OAUTH2.CLIENT_SECRET: {Client Secret configured in WS1 Access}
  • LOGIN.AUTH_TYPE: OAuth2 (RFC-6749)
• Export the Epic Client URL for each of the applications you intend to use.

Component 4: Workspace ONE UEM Application Deployment to Targeted Mobile Devices

• Within each mobile application pushed, you will need to “Send Application Configuration.”  This will include the Configuration Key “EpicMobileConfigurationURL,” with type “String” and the value exported from the Epic Mobile Configurator Editor.

Component 5: Load Balancer Transformation

• As noted in the above diagram, the backend Epic Interconnect server doesn’t natively speak OAuth2.0. The Load Balancer in front of the Epic Interconnect needs to validate and transform the OAuth2.0 JWT to the header “Epic-User-ID.”  (An example of a load balancer which can perform this translation is the NSX Advanced Load Balancer.)
• If you are an Epic hosted customer, this is a build that your Epic hosting team has completed previously. If you are an Epic on-premises customer, this would be your responsibility.

Creating efficiencies for what matters most

The healthcare industry evolves from one day to the next. With each change comes the demand to access to patient records on the fly. Electronic medical records and mobile access are crucial to patient care in the 21^st century. With our Epic Mobile applications single sign-on solution, healthcare customers simplify and enhance access to critical patient records on mobile devices. Our solution reduces password fatigue and wasted time managing credentials. Thus, clinicians have the tools they need to focus on patient care.

Contact your VMware sales representative or VMware Professional Services to learn how VMware can improve mobile operations for healthcare workers. 

Epic, Rover, Haiku and Canto are trademarks of Epic Systems Corporation.

---

Joe Rainone

Joe is a passion driven architect in the EUC Professional Services business. His focus is transforming technology into solutions which positively impact customers. He has been working at VMW since 2014, and has worked with 100s of customers learning how each operates.  Passions within the industry revolve around Identity and Access Management, along with the relatively new Zero Trust push.  He is excited to keep experiencing new customers, challenges, and partnering to find the best outcomes.