Prerequisites
Before you set up Login for Windows in the SecureAuth® Identity Platform, review the following prerequisites.
Administrator
As an administrator, review the list of requirements.
Identity Platform release. Login for Windows requires SecureAuth IdP version 9.3 or later, or SecureAuth® Identity Platform release 19.07 or later.
Biometric authentication. To use biometric fingerprint and face (iOS only) recognition, Login for Windows requires the Identity Platform release 19.07 or later, using the 2019 theme.
Symbol-to-accept authentication. To use Symbol-to-Accept through SecureAuth Authenticate mobile app, Login for Windows requires the Identity Platform release 19.07 or later.
Passwordless login workflow. To use the Passwordless workflow, Login for Windows requires the following:
Identity Platform 9.3 or later running on Windows 10 version 1607 or later
Identity Platform deployment with Prevent package
Personalize the Login for Windows experience. You can customize the Login for Windows experience by setting or changing configuration options in Configure Identity Platform and Login for Endpoints.
Load balancer. If you use a load balancer:
When you use Push-to-Accept, Symbol-to-Accept, or Link-to-Accept MFA methods with Login for Windows, you must enable session persistence ("sticky sessions") on the load balancer to maintain state with the Identity Platform.
Login for Windows supports cookie-based persistence only.
Set up requirement. Ensure the Identity Platform release 9.3 or later is running and is using a SHA2 or later third-party publicly trusted certificate bound to Microsoft Internet Information Services (IIS).
For example, in the IIS Management Console's Default Web Site section, check the Site Bindings section to ensure the https/443 type and port settings have a valid and trusted SHA2 certificate selected in the SSL certificate field.
The following example shows the SSL connection being terminated on the SecureAuth server.
Alternatively, you can also terminate the SSL connection on the load balancer, and then your publicly-trusted certificate will reside on the load balancer.
Note
Do not remove the SecureAuth certificates from the certificates console or the SecureAuth appliance will no longer function.
Compatibility. Ensure target end user machines are running on supported OS versions in the SecureAuth compatibility guide.
End user experience
This section details the first-time usage requirements.
End users can log in without second-factor authentication for the number of days set by the administrator. This allows end users to log in with a password only so they can set up their two-factor authentication methods before they must authenticate to access their device. After end users set up 2FA, the following is the authentication workflow.
Login for Windows requires end users to use one OATH-based method (i.e., TOTP, HOTP), if at least one method is available to end users. If at least one OATH-based method is not available to end users, they can use any other available method, but offline login will not be available.
To meet this requirement, end users must use one of the following accounts provisioned with an application integrated in the Identity Platform that enables their device to generate timed passcodes for multi-factor authentication:
SecureAuth Authenticate app on a phone or tablet or
YubiKey HOTP or TOTP security key
Refer to the YubiKey HOTP Device Provisioning and Multi-Factor Authentication Guide or the YubiKey OATH-TOTP Device Provisioning and Multi-Factor Authentication Guide to ensure all requirements are met. To ensure that supported YubiKey devices are used, see the "YubiKey" section of the SecureAuth compatibility guide.
Thereafter, end users can use Login for Windows to log in when working online and offline.
Additionally, consider the following requirements for end users:
To use Passwordless as a first factor, end users must ensure the following:
Run Windows 10 build 1607 or later
Connect a fingerprint reader to the computer
To use face recognition, available for iOS mobile phones only, end users must complete the following:
Enable their iOS mobile phone Face Recognition setting
Download and set up the SecureAuth Authenticate app
Sites upgrading from SecureAuth release 9.3 to the Identity Platform release 19.07: End users who already use the Authenticate app and want to add the ability to accept biometric push notifications to use face (iOS) or fingerprint recognition must first reconnect the account for their mobile device.
To use fingerprint recognition, end users must complete the following:
Enable the Fingerprint setting on their iOS or Android mobile phone
Download and set up the SecureAuth Authenticate app
End users who already use the Authenticate app and want to add the ability to accept biometric push notifications to use face (iOS) or fingerprint recognition must first reconnect the account for their mobile device.
Note
If end users are using the SecureAuth Credential Provider and the administrator upgrades to a later version of Login for Windows, end users do not need to uninstall the SecureAuth Credential Provider before installing Login for Windows.