### Background ###
Imprivata is an identity provider for health care applications. We are currently investigating ways to integrate their authentication mechanisms into ChromeOS and share credentials/auth-tokens with relevant chrome/android applications.

### Use Case ###
Imagine a chromebook setup in a patient’s room in a hospital. A doctor comes in, sees the custom login screen and uses his badge/fingerprint to sign in. On successful authentication, a public session starts and automatically opens relevant applications with his Imprivata credentials.
When badging again, the session should terminate.
When another user badges in, while a session is active, the current session should be terminated and the newly authenticated user should receive a clean session with his applications and auth-tokens/credentials.
The user switch (and initial login?) should ideally happen within less than seven seconds.

### Proposal ###
Our main backbone for this integration will be a chrome app/extension built by us that is running on the sign-in screen and in public sessions. On the sign-in screen the chrome app/extension will display a custom Imprivata-branded sign-in screen UI, communicate with the badge/fingerprint reader, authenticate the user using calls to Imprivata’s web API, store auth-tokens/credentials for access within the session and start a public session.
Within the public session, the chrome app will read auth-tokens/credentials from the session manager and pass them on to other relevant applications (see below).

### ToDos ###
1) Show custom UI on the sign-in/lock screen
2) Read badge ID from badge reader using chrome.usb API
3) Comunicate with the Imprivata webAPI (send badge ID, receive credential/auth-token)
4) Store credentials/auth-token for later access
5) Start public session from extension/app
6) Read credentials/auth-token
7) Start chrome Apps (e.g. citrix) and pass credentials/auth-token