Skip to main content

Windows SSO integration with Microsoft Entra ID

This topic is an outline of how to configure Windows single sign-on (SSO) in the SecureAuth® Identity Platform.

To allow secure access to your integrated resources using Windows SSO, it connects with the SecureAuth Integrated Windows Authentication (IWA) service for Kerberos-based authentication.

See the following diagram for the Windows SSO integration with Microsoft Entra ID (formerly Azure AD) using Microsoft Entra Domain Services.

Note

Note that the name changed from Azure AD to Microsoft Entra ID. The configuration diagram may be out of date, but the process should be similar.

Windows SSO with Azure AD diagram

Prerequisites

  • Identity Platform release 22.12 or later, cloud deployment

  • Microsoft Entra ID data store tenant synced with Microsoft Entra ID Domain Services

  • Microsoft Entra Domain Services subscription

  • Client workstations must be joined to Microsoft Entra domain

Process

To set up Windows SSO in the Identity Platform, you'll need the following:

In Microsoft Entra Domain Services, have a Service Principal Name (SPN) assigned

Assign an SPN to a service account in Microsoft Entra Domain Services. This is the Microsoft Entra Domain Services service account used for a secure connection between Microsoft Entra Domain Services and SecureAuth IWA service.

See Configure Microsoft Entra Domain Services for SecureAuth IWA service.

In Microsoft Entra ID data store settings, turn on Windows SSO integration

In the Identity Platform data store settings for Microsoft Entra ID, in the SecureAuth IWA Service Settings section, turn on Allow Windows SSO integration.

See Add Microsoft Entra ID data store.Add Microsoft Entra ID data store

In the authentication policy, select the Windows SSO login workflow

In the Identity Platform authentication policy, go to the Login Workflow tab, and from the Login Workflow list, select Windows SSO | MFA Method.

See Policy configuration - Login workflow.

Set up browser configurations to allow Windows SSO

To enable Windows SSO in your organization's network, you could push out a local intranet URL via Group Policy Object (GPO). Most browsers work with Windows SSO, but you can do some configurations as appropriate for your environment.

See Browser settings for Windows SSO.