Okta FAQ for USON Copied

Implementing Okta Login for Lynx and iKnowMed Generation 2

McKesson is implementing Okta, a leading identity management service, to enhance security and simplify access to Ontada applications like iKnowMed Generation 2 and Lynx.

This guide is a resource to help your practice through the transition from your legacy login credentials to using US Oncology Network Okta credentials to access iKnowMed and Lynx.

Key Benefits

• Enhanced Security: Stronger protection for user credentials and data
• Streamlined Access: Use your US Oncology Network username and password for login
• Support Resources: User guides and help desk available

Who is impacted?

All iKnowMed and Lynx users at your practice will be required to use US Oncology Network Okta credentials for login.

Transition Timeline

Go Live Date: Your Ontada Technology Account Manager will share your Go Live Date.

• Okta is enabled on Monday evenings at approximately 5 p.m. CT.
• Users sessions will not be interrupted during the transition.
• If users log out and attempt to log back in to iKnowMed or Lynx, they will see the new login workflow prompting them to transition their login credentials.

Transition Period: Users will have three days from your practice’s Okta Go Live date to migrate from their iKnowMed and Lynx legacy credentials to their US Oncology Network ID and Password.

Post-Transition: US Oncology Network credentials required for login to iKnowMed and Lynx. Remote users will be required to complete multi-factor authentication (MFA).

Improvements we’ve made

We’ve heard your feedback and have implemented a few updates to improve the login experience.

• Updated Okta configuration: USON user ID + password required for the login workflow when accessing iKnowMed via workstations on the US Oncology Network’s computer network.
• Implemented Windows Hello and Fast Pass: These tools can also be used by practices not yet on the US Oncology Network.
• Improved QuickLogin experience for Okta-Enabled iKnowMed and Lynx users: Starting Tuesday, Sept. 23, 2025, when using quick login, you’ll no longer need to close the browser between users. Additionally, if you are using Okta FastPass, you will no longer be logged out of all Okta sessions across devices.

Preparing to enable Okta to login to iKnowMed and Lynx at your practice

• Work with your Ontada Account Manager to clean up your list of iKnowMed users. Ensure users have a valid and unique email address in their iKnowMed user profile.
  • US Oncology and McKesson employees use their work emails in their iKnowMed user profiles: @usonocology.com, @mckesson.com, or approved practice email i.e. @practicename.com.
  • Full-time employees should not use personal email addresses in their iKnowMed profile This will make it easier to differentiate full time USON employees vs external users.
• Review the list of users that haven’t logged in more than 90 days and inactivate accounts.
• Identify an Active Directory Group Owner for iKnowMed and Lynx user access groups.
• Implement use of Windows Hello and Fast Pass across all eligible workstations. Learn more through these US Oncology Network guides:
  • Guide to FastPass
  • Guide to Windows Hello
• Share the schedule for Okta enablement with users at your practice, sharing our migration guide and help menu content to assist in the transition.
• Additionally, Providers using iKnowMed Mobile should update to the latest iPhone operating system. For assistance, please follow Apple’s instructions for updating your device.

No action is needed from your practice as Ontada will work directly with US Oncology Active Directory teams to prepare the following:

• Request the setup of several application specific security groups in USON active directory.
  • iKnowMed Generation 2: USON_Practice_Name_Okta_iKMG2
  • Lynx: USON_Practice_Name_Okta_Lynx
  • Practice Admins: USON_Practice_Name_Okta_PracticeAdmin. This group is what grants practice administrators access to the USON Okta Admin Console to manage external users directly in the USON okta tenant.
• Preload currently active iKnowMed and Lynx users to the respective active directory groups
  • iKnowMed Generation 2: USON_Practice_Name_Okta_iKMG2
  • Lynx: USON_Practice_Name_Okta_Lynx
  • Externals: USON_Practice_Name_Okta_iKMG2_Externals

What to Expect: Day 1

Migration Workflow

Step-by-step guides are available to assist in this transition:

• Migration Support Guide
• iKnowMed Help Menu Guide

iKnowMed and Lynx have a self-guided process to prompt users to migrate their legacy credentials to their US Oncology Network credentials.

1. Initial Login: Use legacy iKnowMed and Lynx credentials to login to the applications.
2. Prompted Migration: iKnowMed and Lynx guides users through a self-guided process to migrate their legacy iKnowMed credentials to their US Oncology Network credentials.
3. Users will have three days to migrate their login. On day four, users will be required to transition from using their legacy credentials to their US Oncology Network credentials to login to iKnowMed and Lynx.

Tips

• Users should complete the transition to Okta login on a desktop or laptop computer. Do not use Lynx kiosk computers.
• Ensure access to the email address associated with your US Oncology credentials. You’ll need to interact with emails during the migration process.
• iKnowMed and Lynx Okta login migrations are independent processes. If you are an iKnowMed and Lynx user, you’ll have to complete the migration process for each application.

Everyday Login Experience

Once a user completes their initial migration for both iKnowMed and Lynx, they will use their US Oncology Network credentials to login to the applications while on the US Oncology Network.

For Lynx Witnessing, users will continue using their legacy Lynx password. User can choose to update these credentials through their Lynx dashboard.

Users working remotely will be required to complete multi-factor authentication when logging into iKnowMed and Lynx.

Shared Devices (i.e., Exam Rooms): Starting Tuesday, Sept. 23, 2025, users will no longer need to close the browser between users.

iKnowMed Quick Login Workflow: Starting Tuesday, Sept. 23, 2025, when using quick login to log out and allow the second user to access the system, you’ll no longer need to close the browser between users. Additionally, if you are using Okta FastPass, you will no longer be logged out of all Okta sessions across devices.

Pharm clean rooms: Late last year, the Okta configuration was updated to use USON credentials (username + password) when logging into iKnowMed from a device on the USON network.

Managing New Users Once Okta is Enabled

Adding new users to iKnowMed and Lynx, depends on the type of user account you want to create and if this user has an account in Workday (FTE/OSW) or are they an external user, outside of McKesson.

iKnowMed User Guide

Setting up a US Oncology Network user

Full time employees and/or Outside Service Workers with an active Workday account.

• Submit a request to add the employee to Workday. Once their Workday account has been created, you can request iKnowMed Access.
• Submit a US Oncology Network IT Standard Service Request to add the user to the group “USON_[practice_name]_Okta_iKMG2” and, if applicable for the user, the group “USON_[practice_name]_Okta_Lynx”. Contact your Ontada Technology Account Manager for the exact group name for your practice.

NOTE: Users must have active status in Workday in order to be added to the correct groups.

• After receiving a notification that the user has been added to Workday and has been added to the groups, confirm the user appears in iKnowMed Generation 2. There may be a delay between adding the groups and the user appearing in iKnowMed.
• Modify the user’s iKnowMed account as needed. This may include editing their User Details, applying a User Profile, and adjusting their Permissions and Preferences. For more information, refer to the iKnowMed Help Menu.
• Confirm the user can log in, confirm access to your practice, and that they set up Okta with more than one Security Method. Setting up additional MFA methods helps provide seamless access to iKnowMed and Lynx and helps troubleshoot access.

NOTE: The ServiceNow request will route through several approvals before the employee can be added to the iKnowMed security group. Initial approval will be routed to the employee’s direct manager, and the second approver is the security group manager. Obtaining approvals can cause delays in users being set up in iKnowMed. We encourage, managers to set up delegates in ServiceNow to avoid delays if an approver is out of the office. Additionally, users must be active in Workday, in order to be added to the iKnowMed security group.

Setting up an external user

NOTE: New external users MUST be created using their email address as the username. If a username already exists, the individual is likely a multi-practice user. Do NOT create a new profile. Instead, add the user to the: uson-ikm-g2-multi-practice-usersexternal group + the appropriate practice external user group. Please ensure no alternate naming conventions are used for usernames.

Third Party Vendors, Research Monitors, local hospital users, etc.

• (Interim Process) Add the user to US Oncology Network Okta via the Okta Admin Console
• iKnowMed Help Menu: Okta Admin Console

Practice Admins need US Oncology Network Okta Group Admin permissions to manage external users in Okta directly.

• Search for user to confirm user doesn’t already exist.
• If the user does not exist, click “Add person” button, populate the user’s first name, last name, user ID (email) and email address
• In the “group” field, select the application the user needs to access
• After the user is created in US Oncology Network Okta Admin Console, confirm the user appears in iKnowMed Generation 2.
• Modify the user’s iKnowMed account as needed. This may include editing their User Details, applying a User Profile, and adjusting their Permissions and Preferences.
• Confirm the user can log in and that they set up Okta with more than one Security Method. Setting up additional MFA methods helps seamlessly access iKnowMed and Lynx and helps troubleshoot access.

Setting up a McKesson User

McKesson employees or their manager must submit the request for access. Practices cannot initiate the request on behalf of the users.

It is a two-step process for McKesson employees to gain access to iKnowMed Generation 2 and can take up to five business days to complete.

To prevent delays, please ensure all information is accurate and inform your manager to anticipate at least two approval requests from ServiceNow.

Requestor Step 1: Submit an Access Request

Use the following steps to set up employees at Sara Cannon Research Institute, Genospace, ClinReview, Life Sciences, etc

1. Request Access: Use the ServiceNow request form: iKnowMed Generation 2 Access Request – Employee Center.
2. When completing the form, please include:

• • Requested for = User needing access
  • Role = Your role within the Ontada Business Unit (BU). If your role is not listed or you do not report to a leader within the Ontada BU, please select Ontada Other.
  • Role Description = Document your role as listed in Workday
  • User Details = Phone number, email address, geographic location (City and State)
  • Access Dates = Start and end dates
  • Practice = Multi-practice. List the full practice name as it appears in iKnowMed Generation 2.
  • Business Need = Provide a detailed justification for access
  • Approval = ServiceNow will trigger an approval to the requestors manager and Ontada Data Governance.
  • Resolution = Upon approval, a ticket is routed to Ontada Tech Products L2.

NOTE: After all necessary approvals are obtained, Ontada Support Desk and Tech Products teams must complete several steps to configure user profiles in the Ontada Okta tenant. Customers should be aware that these internal processes may take 3-5 business days after final approval before the user appears in iKnowMed Generation 2 and receives a resolution email.

Requestor Step 2: iKnowMed Generation 2 Permissions

Permissions must be added to the user profile directly in iKnowMed Generation 2 to allow the user to login and navigate the EHR.

1. Requestors, please coordinate with your practice contact to obtain the necessary permissions and user preferences in iKnowMed Generation 2.
2. Once permissions are in place, you can login to iKnowMed Generation 2 using your McKesson OKTA credentials.

For users that access multiple iKnowMed instances

Submit a US Oncology Network IT Standard Service Request to add the user to the group USON-ikm-g2-multi-practice-users and USON_[practice name]_Okta_iKMG2 and, if applicable for the user, the group USON_[practice name]_Okta_Lynx. Contact your account manager for the exact group name for your practice.

• After receiving a notification that the user has been added to the necessary groups, confirm the user appears in iKnowMed. You may experience up to a three-hour delay between adding the groups and the user appearing in iKnowMed.
• Modify the user’s iKnowMed account as needed. This may include editing their User Details, applying a User Profile, as well as their Permissions and Preferences. For more information, please refer to the iKnowMed Help Menu.
• Confirm the user can log in, verify the correct practice is in focus, and that they set up Okta with more than one security method. Setting up additional MFA methods helps seamlessly access iKnowMed and Lynx and helps troubleshoot access.

NOTE:  Users that have access to more than one practice in iKnowMed will have to toggle between practices in iKnowMed by clicking the practice name in the blue header and selecting the practice they wish to login to from the dropdown menu.

Migration Frequently Asked Questions

Q. What happens if I don’t transition in three days?

A: On the fourth day, you will be required to complete the Okta login transition in order to access iKnowMed and Lynx.

Q: Can I still access iKnowMed and Lynx remotely?

A: Yes, migrating your credentials doesn’t impact your access while on or off the US Oncology Network. iKnowMed is web based and can be accessed remotely, using the same URL and your US Oncology Network credentials, while using your Network VPN and off network.

Q: Can I still use my legacy credentials?

A: After you’ve completed migrating your login credentials to your USO Oncology Okta credentials, your legacy username and password will only work for Lynx Witnessing.

Q: What if my practice isn’t on the US Oncology Network?

A: Please work with your US Oncology Network IT representative to implement use of Windows Hello, Fast Pass or provision YubiKeys for your staff.

Q: What support is available to support my practice during this transition?

A: Ontada will host a go-live support bridge via MS Teams the morning after Okta is enabled at your practice. Ontada Technology Account Managers will share the MS Teams invite with you. Users can also reach out to the Ontada Support Desk for assistance with any issues on Go Live Day. We also have various support tools including user guides and training materials. If you need assistance, please contact the Ontada Support Desk at 888-338-8445 or your Ontada Technology Account Manager.

Q: Can I call Support on behalf of one of my staff?

A: We ask that the user experiencing issues, call in directly to Ontada Support as when other users call in on behalf of someone, it may prohibit us from fully resolving the issue as login credentials are private.

Q: What if we still have users logged in to iKnowMed or Lynx when Okta is enabled at our practice?

A: A user’s session will not be interrupted if they are using the system while the Okta login migration is being completed at your practice. However, if they log out after Okta is enabled and attempt to log back in, they will see the new Okta login workflow.

Q: What if a user doesn’t have an email address in their iKnowMed or Lynx account?

A: You’ll be asked to provide one when your practice starts using Okta.

Q: I am a Practice Administrator, can I still reset user’s passwords?

A: Once your practice is Okta-enabled, passwords are managed by US Oncology Network Okta. Users can reset their passwords using the Okta self-service password reset options or contact the US Oncology Network Help Desk for assistance.

Q: As a Practice Administrator, can I still manage user permissions?

A: Yes, application specific user permissions are still managed directly in iKnowMed and Lynx.

Q: I have an account that I share with multiple users at my practice, what do I need to do?

A: Shared logins are not supported. Each user will need their own unique credentials.

Q: What if multiple users share an email address?

A: Email addresses must be unique. The first user to set up Okta with a shared email will claim it. Others must use a different email.

iKnowMed Frequently Asked Questions

Q: How does transitioning to US Oncology Okta credential affect users’ PIN usage in iKnowMed?

A: Okta does not impact the use of a PIN in iKnowMed.

Q: How does this impact access to the iKnowMed Read Only environment?

A: Once users transition credentials from the legacy iKnowMed login, to the Okta login, they’ll use their US Oncology Okta credentials to access the iKnowMed Read Only environment.

Q: We often keep a provider’s iKnowMed user account active after a provider leaves the practice so we can complete clean-up of iKnowMed work queues, can we still do that?

A: iKnowMed users accounts are automatically deactivated when the user is terminated in Workday. However, practice admins may mark the user ‘active’ directly in iKnowMed until all clean-up work is completed. The provider will no longer be able to login to iKnowMed as their Workday and Okta credentials have been terminated.

Lynx Frequently Asked Questions

Q: What if I use a Lynx kiosk computer?

A: Starting Tuesday, Sept. 23, 2025, when using a Lynx kiosk computer, you’ll no longer need to close the browser between users.

Q: How do I update my Lynx Witness password?

A: Use the Lynx dashboard link to change your witness password.