Skip to main content

Configure Azure AD Domain Services for SecureAuth IWA service

To enable Windows SSO for your integrated resources in the SecureAuth® Identity Platform, you must have an Azure AD Domain Services (Azure AD DS) subscription. Then, in Azure AD DS, create a service account in a custom organizational unit (OU) and link the Service Principal Name (SPN).

In the service account, you link the Service Principal Name (SPN) using setspn commands to that account. The SPN is a name in the Azure AD Domain Services to uniquely identify your instance.

For more information about Windows SSO integration, see Windows SSO integration with Azure AD.

Assign SPN in Azure AD Domain Services domain

Set up and assign the SPN to a service account in Azure AD DS domain for the SecureAuth IWA service. You will need to enter this service account name and password in the Identity Platform Azure AD data store settings to allow Windows SSO integration.

  1. Have or create a virtual machine in the same network as Azure AD Domain Services.

  2. Join the virtual machine to the Azure AD DS domain.

  3. Install the RSAT: Active Directory Domain Services and Lightweight Directory Services Tools on the machine.

    1. To install, go to Apps > Optional Features. Or, search for this in the Windows menu.

    2. Reboot the machine.

    azure_ad_sa_iwa_rsat.png
  4. To create a service account, you need to create a custom organizational unit (OU).

    For more information, see this Microsoft article: Create an Organizational Unit (OU) in an Azure Active Directory Domain Services managed domain.

  5. Create a Service Account and assign the Service Principal Name (SPN) using the setspn commands to that account.

    azure_ad_sa_iwa_aadds.png
    • To view a list of SPNs, use this command:

      setspn.exe -L ServiceAccountName

    • To assign an SPN to the service account, use this command:

      setspn -a HTTP/<SecureAuth IWA service URL> ServiceAccountName

    • To search for duplicate SPNs, use this command:

      setspn -x

Next steps

In the Identity Platform, configure the data store settings for Azure AD to Allow Windows SSO integration and provide the service account name and password for this SPN-assigned AD service account name.