Skip to main content

Windows SSO integration with Active Directory

This topic is an outline of how to configure Windows single sign-on (SSO) in the SecureAuth® Identity Platform.

To allow secure access to your integrated resources using Windows SSO, it connects with the SecureAuth Integrated Windows Authentication (IWA) service for Kerberos-based authentication.


  • Identity Platform release 24.04 or later, cloud deployment

  • Active Directory (AD) data store

  • Active Directory (AD) service account with least privilege access for Windows SSO integration in the Identity Platform

  • Client workstations must be joined to same Active Directory domain


To set up Windows SSO in the Identity Platform, you'll need the following:

In your AD service account, have a Service Principal Name (SPN) assigned

In your Active Directory (AD), assign an SPN to an AD service account. This the AD service account used for a secure connection between AD and SecureAuth IWA service.

See Configure Active Directory service account for SecureAuth IWA service.

In AD data store settings, turn on Windows SSO integration

In the Identity Platform data store settings for AD, in the SecureAuth IWA Service Settings section, turn on Allow Windows SSO integration.

See Add Active Directory data store.Add Active Directory data store

In the authentication policy, use "Run Windows SSO" as a condition

In the Identity Platform authentication policy, go to the Authentication Rules tab. Apply Run Windows SSO as a condition to an authentication rule like Country, IP Range, or Threat Service.

See Policy configuration - Authentication rules.

Set up browser configurations to allow Windows SSO

To enable Windows SSO in your organization's network, you could push out a local intranet URL via Group Policy Object (GPO). Most browsers work with Windows SSO, but you can do some configurations as appropriate for your environment.

See Browser settings for Windows SSO.