This is an Early AccessEarly Access (EA) features are opt-in features that you can try out in your org by asking Okta Support to enable them. Additionally, the Features page in the Okta Admin Console (Settings > Features) allows Super Admins to enable and disable some EA features themselves. feature. To enable it, contact Okta Support.
MFA for Electronic Prescribing for Controlled Substances (ePCS)
The guide below outlines the setup process to install the Okta Multifactor AuthenticationAuthentication is distinct from authorization, which is the process of giving individuals access to system objects based on their identity. Authentication merely ensures that the individual is who he or she claims to be, but says nothing about the access rights of the individual. Authentication methods and protocols include direct auth, delegated auth, SAML, SWA, WS-Fed, and OpenID Connect. (MFA) provider for ePCS.
Electronic Prescribing for Controlled Substances (ePCS) eliminates paper prescriptions entirely by allowing clinical prescribers to electronically write prescriptions for controlled substances. It also permits pharmacies to receive, dispense and archive these e-prescriptions.
ePCS also creates new “Identity Proofing” responsibilities for vendors, prescribers, and pharmacies by requiring two-factor authentication, more robust audit trails and strict auditing procedures in order to comply with the Interim Final Rule regulating ePCS of the U.S. Drug Enforcement Administration (DEA).
The following diagram shows the information flow.
- Must exist in Okta
- Must be assigned the Epic Hyperspace appAn abbreviation of application. Essentially, it is a web-based site used to perform any number of specific tasks, and requires authentication from end users by signing in. in Okta
- Must enroll in MFA prior to performing a ePCS transaction.
- Administrator must configure Citrix servers to allow users write access to the log folder.
Typically C:\Program Files (x86)\Okta\OktaHyperspaceLoginDevice\logs
There are five parts to the configuration, including a pre-configuration step.
Transport Layer Security (TLS) used by the agentA software agent is a lightweight program that runs as a service outside of Okta. It is typically installed behind a firewall and allows Okta to tunnel communication between an on-premises service and Okta's cloud service. Okta employs several agent types: Active Directory, LDAP, RADIUS, RSA, Active Directory Password Sync, and IWA. For example, users can install multiple Active Directory agents to ensure that the integration is robust and highly available across geographic locations.. Ensure that TLS 1.2 or higher is configured. For instructions, see Okta ends browser support for TLS 1.1.
Before installing the Okta Hyperspace Agent, your orgThe Okta container that represents a real-world organization. must have the following three items configured.
- End user/GroupsGroups allow you to organize your end users and the apps they can access. Assigning apps to large sets of end users is made easier with groups. who will authenticate with ePCS sign ins:
To manage or add a group:
- Login to your Okta Org as an administrator
- Navigate to Directory > Groups.
- Click Add Group to add a group and provide an appropriate name and description for the new group.
- Click the group name and add appropriate people, or Directories to the group.
For more information see Managing Groups in Okta.
Newly created groups are intended for use with the MFA factors configured next.
- MFA factors configured for use with ePCS sign in:
- Login to your Okta Org as an administrator
- Navigate to Security > Multifactor.
- On the Factor Types tab set target factor active or inactive.
See the Supported Factors section in this document for a list of ePCS supported factors.
For more information on managing factors see Multifactor Authentication.
- Install the Epic Hyperspace application
- On the Applications page, select Add Application
- Enter Epic Hyperspace EPCS (MFA) in the search box. Then, add the application.
- Select the General tab.
- Note the value of the ClientEssentially, a client is anything that talks to the Okta service. Within the traditional client-server model, Okta is the server. The client might be an agent, an Okta mobile app, or a browser plugin. ID and Client secret.
If required, use the Edit button to change the Application label value.
Use the Show button to display the hidden value of the Client secret.
- Org admins will need to request Okta Support provide the download link for the Okta Hyperspace Agent.
For the agent version history, see Okta Hyperspace Agent Version History.
- Sign in to your Okta tenant as an admin.
- Navigate to the Epic Hyperspace EPCS (MFA) application.
- Open the General tab.
This tab contains the Okta URL, client id and client secret required by the agent install.
Keep this tab open as these values are required in later steps.
When prompted the Okta URL must be entered as either: https://<<YOUR OKTA ORG>>.okta.com or https://<<YOUR OKTA ORG>>.oktapreview.com.
- Install the agent either interactively or at the command line:
Interactively - On the machine that will host the agent:
- Download the HyperSpace Agent MSI file and unzip.
- Execute the OktaHyperspaceAgent.msi, accepting all defaults.
- When promoted enter the URL, client id and client secret as shown in the General tab of the Epic Hyperspace EPCS (MFA) application.
Command line - On the machine that will host the agent:
- Download and install the Microsoft Visual C++ redistributable libraries as described at https://www.microsoft.com/en-us/download/details.aspx?id=48145.
- Download the HyperSpace Agent MSI file and unzip.
- Open a command prompt and change directory to the location where the MSI was downloaded and unzipped.
- Execute the MSI installer using a command similar to:
msiexec /qb /log log.txt /i OktaHyperspaceAgent.msi CLIENT_ID="ClientID" CLIENT_SECRET="ClientSecret" OKTA_URL="Url"
Url, ClientId and ClientSecret values are as shown in the General tab of the Epic Hyperspace EPCS (MFA) application.
If the version of Okta installed Epic.Core.Authentication.dll is older then the EPIC library Epic.Core.Authentication.dll replace the Okta version with the newer EPIC DLL.
The default location for the plugin install file is typically : c:\Program Files (x86)\Okta\OktaHyperspaceLoginDevice\
Set up and configure a new device in Chronicles.
- In Chronicles, access the Authentication Devices (E0G) master file and navigate to Enter Data > Create/Edit Device.
Enter a name for the device, such as Okta 2FA.
Enter a new ID of 100000 or greater.
On the General Settings screen, enter Enter 1-Desktop in the Platform field.
- On the General Settings screen, enter a description in the Description field, if desired.
On the Desktop Settings screen, enter OktaHyperspaceLoginDevice.OktaMFADevice in the ProgID field.
- Determine whether there is an Authentication Configuration Record defined in d ^%ZeUSTBL> Hyperspace > Miscellaneous Security Settings. If not, complete the following steps:
- In Chronicles, navigate to d ^e > e0a > Enter Data > Create Configuration.
Enter a unique ID and name for your Authentication Configuration record.
In the Config Type field enter Authentication Device Settings.
Using that newly created, or existing, Authentication Configuration record configure as needed for the additional factor(s).
The following steps configure Hyperspace to integrate with Okta.
In general the intent of this section is for the EPIC administrator will:
- Create a device (EOG) record that represents the third-party vendor (Okta in this case).
- Enter the new device as the Secondary Device in your Authentication Administration record.
- In Hyperspace, navigate to Authentication Administration (Epic button > AdminAn abbreviation of administrator. This is the individual(s) who have access to the Okta Administrator Dashboard. They control the provisioning and deprovisioning of end users, the assigning of apps, the resetting of passwords, and the overall end user experience. Only administrators have the Administration button on the upper right side of the My Applications page. > Access Management > Authentication Administration).
- Accept the active record. (This record should be the Authentication Configuration record that you either just verified was set or just created.)
- Select the desired configuration level; for example, System, Service Area, Workstation, etc.
In the Context field, enter E-Prescribing Controlled Medications - First Context.
Set the first authentication method you want users to be prompted with as the Primary Device. Okta anticipates that most organizations will choose the standard user name and password workflow, Default Login, as the first method.
In the Context field, enter E-Prescribing Controlled Medications - Second Context.
Set Okta to be the Primary Device.
Close Hyperspace and relaunch for the new configuration to take effect.
Each Okta user account, be used by EPIC for MFA, has to match an EPIC user account. (
For example: in Okta account JohnSmith@okta.com has to correspond to a similarly named account like JohnSmith within EPIC.
- Within the EPIC Hyperspace Okta app, configure the Okta account format to match the EPIC account credential.
- Ensure your Okta defined user has already authenticated into Okta and enrolled into the MFA factor to be used.
Note if omitted the EPIC MFA process will fail with no message.
Once completed, the user can log out of Okta.
- Log into EPIC Hyperspace with the test user account and request a prescription be processed.
Depending upon the EPIC configuration a password will be requested and then the Okta Factor challenge will be displayed.
On error review the troubleshooting steps.
Define the username format within the EPIC Hyperspace app within Okta.
- Examine Okta syslog for events.
If no events are shown then the EPIC agent may be mis-configured.
Possible causes include, user is not configured or enrolled in assigned Okta MFA factor.
- Ensure that the user is assigned to the group associated with the Hyperspace app.
- Ensure that the user is enrolled in MFA.
Has the user previously connected into Okta and enrolled? If not enroll the user before continuing.
- Ensure that the app sign-on policy is prompting for MFA for the assigned users of the created Okta group for ePCS users.