16 May 2024
5 Minutes to read
Contributors

Share
Dark
Light
PDF

Introduction to EpicAuth for Hyperdrive

Updated on 16 May 2024
5 Minutes to read
Contributors

Share
Dark
Light
PDF

Article summary

Did you find this summary helpful?

Thank you for your feedback

**Important information about Authentication Plug-In software for Hyperdrive

EpicAuth version 4.x is required for Epic Hyperdrive. EpicAuth 3.x versions only work with Hyperspace Classic.

While client endpoints may continue to use the 3.x version in Citrix deployments, we strongly encourage upgrading to 4.x. Improvements and fixes will only be included in 4.x versions.

Hyperspace

Hyperspace: EMR (Electronic Medical Record) application created by Epic.
Hyperspace Classic: client/server desktop application that was historically used to run Hyperspace and was typically hosted on Citrix.
Hyperdrive: web-based application viewer. While it is used to access Hyperspace, it is typically referred to as Hyperdrive to differentiate it from Hyperspace Classic.

The following sections of this document detail the Supported Workflows, Prerequisites, and Client/Server Requirements.

Supported Workflows

The following workflows will be supported in this release:

Basic Workflow with XA integration
1. Single sign-on to Epic
2. Login, logout and secure
3. User switching (with badge or username and password)
4. Epic user state synchronization
Re-authentication and Co-signing using only a badge (for non-controlled substances and pharmacy workflows)
Standalone Narrator workflow
1. Badge scanning for arrival and departure events in trauma bays
2. Systems are configured in non-locking Kiosk Mode
Integrated Narrator workflow
1. Badge scanning for arrival and departure events in trauma bays
2. XA is not restricted to non-locking Kiosk Mode
Community Connect

What is Epic Community Connect?

"Epic’s Community Connect program is a cost-effective solution that allows smaller organizations to connect to larger hospital systems in an attempt to connect it to the more extensive, comprehensive Epic electronic health record (EHR) system." https://www.suretysystems.com

EPCS (E-Prescribing Controlled Substances)
1. This workflow supports re-authentication with push notifications, OTP, or biometric readers
2. Requires a separate installer and additional configuration.

Prerequisites

Supported Hyperdrive Versions: February 2022 and higher

Supported ExactACCESS (XA) Versions:

4.13.x Client and Server
4.14.x Client and Server

Supported Configurations:

Hyperdrive hosted on Citrix, including using Slingshot on the client to launch the Hyperdrive instance (See FAQ #5 for more information about this configuration)
Hyperdrive installed on local workstations and virtual desktops
Community Connect

Client/Server Requirements

Hyperdrive hosted on Citrix

Client
1. Windows 10, 11
2. ExactACCESS Client 4.13 or newer
3. Citrix Client configured to connect to the environment hosting Hyperdrive
4. EpicAuth version 4.x
  1. While client endpoints may continue to use the 3.x version in Citrix deployments, we strongly encourage upgrading to 4.x. Improvements and fixes will only be included in 4.x versions.
5. Optional: Epic Slingshot configured to launch the Hyperdrive published application
Citrix Server
1. .NET 4.8
2. Epic Hyperdrive Feb 2022 or higher
3. EpicAuth Plugin version 4.x

Hyperdrive installed on local workstations

Client
1. Windows 10
2. .NET 4.8
3. Epic Hyperdrive Feb 2022 or higher
4. EpicAuth Plugin version 4.x or above

Getting Started - Overview

Request access to the Epic Auth Plugin
Create Client Registration keys used by the EpicAuth plugin and provide the public key to Identity Automation
Create SAML key pairs (if needed)
(With Epic TS) Configure Epic E0G records with the correct ProgIDs for the Auth Plugin
(With Epic TS) Configure the Interconnect Oauth2 back-end service

Request Access to EpicAuth Plugin

If you do not currently have access to the EpicAuth Plugin, you may request access to it using the "Epic on FHIR" website https://fhir.epic.com. Identity Automation will receive a notification of your request.

To find the Auth Plugin on the "Epic on FHIR" website

Search for this client ID: cec0f8f1-9621-4ae5-8ddf-98a0601fdee5.
If needed, please reach out to your Epic TS for assistance.

Create Client Registration Keys

What are the Client Registration key pairs used for?

The key pairs will be used for registering your Epic instance on each system where Hyperdrive is installed.

The private (PFX) keys will need to be deployed to each system where the plugin is installed and is used for the registration process
The CER (certificate) file needs to be sent to Identity Automation to associate with the "Epic on FHIR" request

IMPORTANT!

Once you create the public/private key pairs, you will need to keep the private keys secured! It will be up to you to manage these keys and ensure they are secured.

The private keys are stored in password-protected .PFX files.
You will also need to keep the password for the .PFX files secured.

How to create client registration key pairs

Install EpicAuth using the Identity Automation ProxCard Epic Login Device.msi
Run the key generation tool
a. IA.EpicAuth.Key.Generator.exe is located in the installation directory (default C:\Program Files (x86)\Identity Automation\EpicAuth).
Set Production and Non-Production passwords
1. Determine an appropriate Production password and enter it into the Production password fields (Password and Password Validate)
2. Determine an appropriate Non-Production password (different than your Production password) and enter it into the Non-Production password fields (Password and Password Validate)
Click the Create Static Keys button
This tool will create four files:
a. A non-prod password-protected .PFX file which contains a private key
b. A non-prod .cer certificate file that contains a public key
c. A production password-protected .PFX file which contains a private key
d. A production .cer certificate file that contains a public key
Provide both public key certificate files IA Epic Hyperdrive Static Key Prod.cer and IA Epic Hyperdrive Static Key Non-Prod.cer to Identity Automation. You can create a support ticket and attach these files to the support ticket. Do not provide the private keys to Identity Automation, only the public key certificate files. Identity Automation does not need any keys for the EPCS solution, if you are using that product.

Create SAML key pairs

If using EPCS or SAML for authentication, you will need to generate SAML key pairs.

Run the key generation tool
a. IA.EpicAuth.Key.Generator.exe is located in the installation directory (default C:\Program Files (x86)\Identity Automation\EpicAuth).
Set Production and Non-Production passwords
1. Determine an appropriate Production password and enter it into the Production password fields (Password and Password Validate)
2. Determine an appropriate Non-Production password (different than your Production password) and enter it into the Non-Production password fields (Password and Password Validate)
Select the Create EPCS/SAML Key button.
1. This will open a separate "Create Epic Hyperdrive SAML Key" window. Click the Create SAML key button, and the SAML certificate files will be saved to your local TEMP folder.

Four files will be created:
1. IA Epic Hyperdrive SAML.cer
  1. Public certificate that needs to be uploaded to the Epic operational database by your Epic TS
2. IA Epic Hyperdrive SAML.pem
  1. No action necessary for this file
3. IA Epic Hyperdrive SAML.pfx
  1. No action necessary for this file
4. IA Epic Hyperdrive SAML-cryptoapi.pfx
  1. Private certificate which needs to be deployed to each system that will be using SAML

Configure Epic E0G records with the correct ProgIDs for the Auth Plugin

See Configuration and Installation.

Configure the Interconnect Oauth2 back-end service

See Configuration and Installation.

Was this article helpful?

What's Next

Configuration and Installation

Table of contents

Supported Workflows
Prerequisites
Client/Server Requirements
Getting Started - Overview