Configure Hyperdrive to Integrate with Identity Automation

Follow these steps to configure the Epic Hyperdrive backend to integrate with Identity Automation’s EpicAuth Plugin:

1. Request Access to the EpicAuth Plugin

2. Create Client Registration Keys

3. Create SAML Key Pairs

4. Create a Device (E0G) Record in Epic

5. Configure the Interconnect OAuth2 Back-End Service

6. Turn off the Pause Form

Request Access to EpicAuth Plugin

• Visit the Epic on FHIR website.

• Search for the specific Client ID: cec0f8f1-9621-4ae5-8ddf-98a0601fdee5

• Submit a request for access to the EpicAuth Plugin.

• Identity Automation will receive a notification of your request

• Tip: If you need assistance, contact your Epic Technical Support (TS) representative.

Create Client Registration Keys

📒 What are the Client Registration key pairs used for?

The key pairs will be used to register your Epic instance on each system where Hyperdrive is installed.

• The private (PFX) keys must be deployed to each system where the plugin is installed and used for the registration process.

• The CER (certificate) file must be sent to Identity Automation to associate with the "Epic on FHIR" request.

🛡️ IMPORTANT!

Once you create the public/private key pairs, you must keep the private keys secured! It will be up to you to manage these keys and ensure they are secured.

• The private keys are stored in password-protected “.PFX” files.

• You must also secure the password for the “.PFX” files.

How to create client registration key pairs

1. Run the “Identity Automation ProxCard Epic Login Device.msi” install to get access to the key generation tool.

   1. 📒 You are running the plugin install to get access to the key generation tool. You can uninstall it after creating the client registration and SAML keys.

2. Run the key generation tool.
   a. IA.EpicAuth.Key.Generator.exe is located in the installation directory (default C:\Program Files (x86)\Identity Automation\EpicAuth).

3. Set Production and Non-Production passwords.

   1. Determine an appropriate Production password and enter it into the Production password fields (Password and Password Validate)

   2. Determine an appropriate Non-Production password (different than your Production password) and enter it into the Non-Production password fields (Password and Password Validate)
      

4. Click the Create Static Keys button.

5. This tool will create four files:
   a. A non-prod password-protected “.PFX” file which contains a private key
   b. A non-prod .cer certificate file that contains a public key
   c. A production password-protected “.PFX” file which contains a private key
   d. A production .cer certificate file that contains a public key

6. Provide both public key certificate files “IA Epic Hyperdrive Static Key Prod.cer” and “IA Epic Hyperdrive Static Key Non-Prod.cer” to Identity Automation.  You can create a support ticket and attach these files to the support ticket. Do not provide the private keys to Identity Automation, only the public key certificate files.  

   1. Note: Identity Automation does not need any keys for the EPCS solution if you are using that product.

Create SAML Key Pairs

You must generate SAML key pairs if using EPCS or SAML for authentication.

1. Run the key generation tool.
   a. IA.EpicAuth.Key.Generator.exe is located in the installation directory (default C:\Program Files (x86)\Identity Automation\EpicAuth).

2. Set Production and Non-Production passwords.

   1. Determine an appropriate Production password and enter it into the Production password fields (Password and Password Validate)

   2. Determine an appropriate Non-Production password (different than your Production password) and enter it into the Non-Production password fields (Password and Password Validate)

3. Select the Create EPCS/SAML Key button.
   

   1. This will open a separate "Create Epic Hyperdrive SAML Key" window. Click the Create SAML key button, and the SAML certificate files will be saved to your local TEMP folder.

4. Four files will be created:

   1. IA Epic Hyperdrive SAML.cer

      1. The public certificate that needs to be uploaded to the Epic operational database by your Epic TS

   2. IA Epic Hyperdrive SAML.pem

      1. No action is necessary for this file

   3. IA Epic Hyperdrive SAML.pfx

      1. No action is necessary for this file

   4. IA Epic Hyperdrive SAML-cryptoapi.pfx

      1. The private certificate that needs to be deployed to each system that will be using SAML

Create a Device (E0G) Record in Epic

To create and configure Identity Automation's authentication devices in Hyperdrive, please have your Epic Client Systems Administrator (ECSA) or Epic Security Analyst follow the directions in the 3rd Party Authentication Setup section in the Authentication Setup and Support Guide. This guide is maintained and supported by Epic and has directions on setting up a 3rd-party authentication device E0G records and configuring it in Authentication Administration to allow Hyperdrive to use an authentication device.

While using the Guide, use the following Identity Automation ProgIDs:

1. IA.Hyperdrive.ProxCard - Enables proximity card authentication in Hyperdrive; should be configured as the first primary authentication device.

   1. It can also be used for Standalone Narrator workflows.

   2. IMPORTANT: Epic's Default Login (0) device should be added to the Primary Device setting after the IA.Hyperdrive.ProxCard device.

2. IA.Hyperdrive.ProxCardPassive - Enables passive proximity card authentication in Hyperdrive. It should only be used in the Integrated Narrator workflow.

   1. Using this ProgID requires the IA.Hyperdrive.ProxCard device has been configured for primary authentication.

To configure SAML authentication, use the following in the Web Device Settings screen:

• Token Type: SAML 2

• SAML Issuer: IA Epic Hyperdrive SAML

• SAML Key File: The “IA Epic Hyperdrive SAML.cer” file is generated in the Create SAML Key Pairs section step 4.

Configure the Interconnect OAuth2 Back-End Service (with Epic Technical Support)

Identity Automation EpicAuth uses Interconnect to interact with Epic Hyperdrive. A user-provided with proper permissions must be set up to allow this interaction. There are two different ways you can associate users to an application within the Interconnect OAuth2 configuration:

1. OPTION 1- set a default user to associate with all external applications. For example:

   1. Within the Interconnect Administrator's menu, select OAuth2 Management, then Edit System Settings and set the default user.

2. OPTION 2- set a different user for each external client (such as Identity Automation Auth Plugin). For example:

   1. Create a new background user (no specific security points or classes are needed).

   2. Associate the new background user with the Interconnect OAuth2 back-end service.

      1. Within the Interconnect Administrator's menu, select OAuth2 Management,

      2. Enter HealthCast Epic Authentication in the "External Client" column.

      3. Specify the User (EMP) record in the "Associated User" column.

📒 For Additional Guidance

Contact your Epic TS for detailed instructions and more information about configuring Interconnect OAuth2.

Turn off the Pause Form

The Pause Form must be turned off to allow users to tap in. Use the following command to run in the Epic Operational Database to complete this task:

d ^%ZeUSTBL > Security > Login Settings > Client Login Settings > 
Always show pause form on secure? No

Next Step: Install and configure the EpicAuth plugin