Windows SSO integration with Azure AD
This topic is an outline of how to configure Windows single sign-on (SSO) in the SecureAuth® Identity Platform.
To allow secure access to your integrated resources using Windows SSO, it connects with the SecureAuth Integrated Windows Authentication (IWA) service for Kerberos-based authentication.
See the following diagram for the Windows SSO integration with Azure AD using Azure AD Domain Services.
 |
Prerequisites
Identity Platform release 22.12 or later, cloud deployment
Azure AD data store tenant synced with Azure AD Domain Services
Azure AD Domain Services (Azure AD DS) subscription
Client workstations must be joined to Azure AD DS domain
Process
To set up Windows SSO in the Identity Platform, you'll need the following:
- In Azure AD Domain Services, have a Service Principal Name (SPN) assigned
Assign an SPN to a service account in Azure AD Domain Services. This is the Azure AD Domain Services service account used for a secure connection between Azure AD Domain Services and SecureAuth IWA service.
See Configure Azure AD Domain Services for SecureAuth IWA service.
- In Azure AD data store settings, turn on Windows SSO integration
In the Identity Platform data store settings for Azure AD, in the SecureAuth IWA Service Settings section, turn on Allow Windows SSO integration.
- In the authentication policy, select the Windows SSO login workflow
In the Identity Platform authentication policy, go to the Login Workflow tab, and from the Login Workflow list, select Windows SSO | MFA Method.
- Set up browser configurations to allow Windows SSO
To enable Windows SSO in your organization's network, you could push out a local intranet URL via Group Policy Object (GPO). Most browsers work with Windows SSO, but you can do some configurations as appropriate for your environment.