Configure Active Directory service account for SecureAuth IWA service
To enable Windows SSO for your integrated resources in the SecureAuth® Identity Platform, you'll need a Service Principal Name (SPN) assigned to an Active Directory (AD) service account to connect with the SecureAuth IWA service.
The Service Principal Name (SPN) is a name in the Active Directory to uniquely identify your instance. This topic covers how to assign an SPN in the AD data store to work with the Identity Platform and SecureAuth IWA service.
For more information about Windows SSO integration, see Windows SSO integration with Active Directory.
Assign SPN in the Active Directory
Set up and assign the SPN to an AD service account for the SecureAuth IWA service. You will need to enter this AD service account name and password in the Identity Platform AD data store settings to allow Windows SSO integration.
In your Active Directory, create the AD service account username you want to use for the SecureAuth IWA service.
Assign the SPN to the AD service account using any of the following commands:
To view a list of SPNs, use this command:
setspn.exe -L ServiceAccountName
To assign an SPN to the AD service account, use this command:
setspn -a HTTP/<SecureAuth IWA service URL> ServiceAccountName
To search for duplicate SPNs, use this command:
setspn -x
Use the ADSI Edit to assign an SPN
Cloudflare migration: Add new Cloudflare SPN
SecureAuth is enhancing infrastructure by migrating to Cloudflare, bringing improved performance and reliability for your tenant. To maintain Windows SSO functionality after this migration, a new SPN is needed for your service account.
Add the Cloudflare SPN
Add the Cloudflare CDN SPN to your existing service account:
setspn -a HTTP/customerid-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx.secureauth.com.cdn.cloudflare.net ServiceAccountName
Replace
customerid-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxwith your actual customer ID.Verify both SPNs are assigned:
setspn -L ServiceAccountName
You should see both:
HTTP/customerid-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx.secureauth.com(original)HTTP/customerid-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx.secureauth.com.cdn.cloudflare.net(new)
Reference:
SPN format | Purpose |
|---|---|
| Original tenant access |
| Cloudflare infrastructure access |
Next steps
In the Identity Platform, configure the data store settings for Active Directory to Allow Windows SSO integration and provide the service account name and password for this SPN-assigned AD service account name.