- DarkLight
- PDF
Introduction to EpicAuth for Hyperdrive
EpicAuth version 4.x is required for Epic Hyperdrive. EpicAuth 3.x versions only work with Hyperspace Classic.
While client endpoints may continue to use the 3.x version in Citrix deployments, we strongly encourage upgrading to 4.x. Improvements and fixes will only be included in 4.x versions.
Hyperspace: EMR (Electronic Medical Record) application created by Epic.
Hyperspace Classic: client/server desktop application that was historically used to run Hyperspace and was typically hosted on Citrix.
Hyperdrive: web-based application viewer. While it is used to access Hyperspace, it is typically referred to as Hyperdrive to differentiate it from Hyperspace Classic.
The following sections of this document detail the Supported Workflows, Prerequisites, and Client/Server Requirements.
Supported Workflows
The following workflows will be supported in this release:
- Basic Workflow with XA integration
- Single sign-on to Epic
- Login, logout and secure
- User switching (with badge or username and password)
- Epic user state synchronization
- Re-authentication and Co-signing using only a badge (for non-controlled substances and pharmacy workflows)
- Standalone Narrator workflow
- Badge scanning for arrival and departure events in trauma bays
- Systems are configured in non-locking Kiosk Mode
- Integrated Narrator workflow
- Badge scanning for arrival and departure events in trauma bays
- XA is not restricted to non-locking Kiosk Mode
- Community Connect
"Epic’s Community Connect program is a cost-effective solution that allows smaller organizations to connect to larger hospital systems in an attempt to connect it to the more extensive, comprehensive Epic electronic health record (EHR) system." https://www.suretysystems.com
- EPCS (E-Prescribing Controlled Substances)
- This workflow supports re-authentication with push notifications, OTP, or biometric readers
- Requires a separate installer and additional configuration.
Prerequisites
Supported Hyperdrive Versions: February 2022 and higher
Supported ExactACCESS (XA) Versions:
- 4.13.x Client and Server
- 4.14.x Client and Server
Supported Configurations:
- Hyperdrive hosted on Citrix, including using Slingshot on the client to launch the Hyperdrive instance (See FAQ #5 for more information about this configuration)
- Hyperdrive installed on local workstations and virtual desktops
- Community Connect
Client/Server Requirements
Hyperdrive hosted on Citrix
- Client
- Windows 10, 11
- ExactACCESS Client 4.13 or newer
- Citrix Client configured to connect to the environment hosting Hyperdrive
- EpicAuth version 4.x
- While client endpoints may continue to use the 3.x version in Citrix deployments, we strongly encourage upgrading to 4.x. Improvements and fixes will only be included in 4.x versions.
- Optional: Epic Slingshot configured to launch the Hyperdrive published application
- Citrix Server
- .NET 4.8
- Epic Hyperdrive Feb 2022 or higher
- EpicAuth Plugin version 4.x
Hyperdrive installed on local workstations
- Client
- Windows 10
- .NET 4.8
- Epic Hyperdrive Feb 2022 or higher
- EpicAuth Plugin version 4.x or above
Getting Started - Overview
- Request access to the Epic Auth Plugin
- Create Client Registration keys used by the EpicAuth plugin and provide the public key to Identity Automation
- Create SAML key pairs (if needed)
- (With Epic TS) Configure Epic E0G records with the correct ProgIDs for the Auth Plugin
- (With Epic TS) Configure the Interconnect Oauth2 back-end service
Request Access to EpicAuth Plugin
If you do not currently have access to the EpicAuth Plugin, you may request access to it using the "Epic on FHIR" website https://fhir.epic.com. Identity Automation will receive a notification of your request.
To find the Auth Plugin on the "Epic on FHIR" website
- Search for this client ID: cec0f8f1-9621-4ae5-8ddf-98a0601fdee5.
- If needed, please reach out to your Epic TS for assistance.
Create Client Registration Keys
The key pairs will be used for registering your Epic instance on each system where Hyperdrive is installed.
- The private (PFX) keys will need to be deployed to each system where the plugin is installed and is used for the registration process
- The CER (certificate) file needs to be sent to Identity Automation to associate with the "Epic on FHIR" request
Once you create the public/private key pairs, you will need to keep the private keys secured! It will be up to you to manage these keys and ensure they are secured.
- The private keys are stored in password-protected .PFX files.
- You will also need to keep the password for the .PFX files secured.
How to create client registration key pairs
- Install EpicAuth using the Identity Automation ProxCard Epic Login Device.msi
- Run the key generation tool
a. IA.EpicAuth.Key.Generator.exe is located in the installation directory (default C:\Program Files (x86)\Identity Automation\EpicAuth). - Set Production and Non-Production passwords
- Determine an appropriate Production password and enter it into the Production password fields (Password and Password Validate)
- Determine an appropriate Non-Production password (different than your Production password) and enter it into the Non-Production password fields (Password and Password Validate)
- Click the Create Static Keys button
- This tool will create four files:
a. A non-prod password-protected .PFX file which contains a private key
b. A non-prod .cer certificate file that contains a public key
c. A production password-protected .PFX file which contains a private key
d. A production .cer certificate file that contains a public key - Provide both public key certificate files IA Epic Hyperdrive Static Key Prod.cer and IA Epic Hyperdrive Static Key Non-Prod.cer to Identity Automation. You can create a support ticket and attach these files to the support ticket. Do not provide the private keys to Identity Automation, only the public key certificate files. Identity Automation does not need any keys for the EPCS solution, if you are using that product.
Create SAML key pairs
If using EPCS or SAML for authentication, you will need to generate SAML key pairs.
- Run the key generation tool
a. IA.EpicAuth.Key.Generator.exe is located in the installation directory (default C:\Program Files (x86)\Identity Automation\EpicAuth). - Set Production and Non-Production passwords
- Determine an appropriate Production password and enter it into the Production password fields (Password and Password Validate)
- Determine an appropriate Non-Production password (different than your Production password) and enter it into the Non-Production password fields (Password and Password Validate)
- Select the Create EPCS/SAML Key button.
- This will open a separate "Create Epic Hyperdrive SAML Key" window. Click the Create SAML key button, and the SAML certificate files will be saved to your local TEMP folder.
- Four files will be created:
- IA Epic Hyperdrive SAML.cer
- Public certificate that needs to be uploaded to the Epic operational database by your Epic TS
- IA Epic Hyperdrive SAML.pem
- No action necessary for this file
- IA Epic Hyperdrive SAML.pfx
- No action necessary for this file
- IA Epic Hyperdrive SAML-cryptoapi.pfx
- Private certificate which needs to be deployed to each system that will be using SAML
- IA Epic Hyperdrive SAML.cer
Configure Epic E0G records with the correct ProgIDs for the Auth Plugin
See Configuration and Installation.