Documentation
Introduction

Windows Desktop Single Sign-on (SSO) enables users to immediately and securely access resources via Kerberos-based authentication.

This feature can be enabled for any SecureAuth IdP realm as long as the SecureAuth IdP appliance is joined to the company's domain, and on any device on the domain that can use and process Kerberos tickets.

Prerequisites

1. A Microsoft Active Directory must be in use and integrated with SecureAuth IdP

2. The most effective way to enable universal Windows Desktop SSO is to push out a local intranet URL via Group Policy Object (GPO); however, end-users can also configure their own devices and browsers to enable the feature

To enable Windows Desktop SSO, end-users must add the SecureAuth IdP server Fully Qualified Domain Name (FQDN) into the "Trusted Sites" list of websites in Internet Explorer (Chrome) or Firefox. To achieve this, end-users follow these steps:

For Chrome:

1. Click the Chrome menu hamburger button on the toolbar and click Settings

2. Click Show advanced settings

3. Click Change proxy settings

4. Go into the Security tab, then click Local intranet

5. Click Sites, then click Advanced

6. Enter the FQDN of the SecureAuth IdP server (e.g. https://secureauth.company.com/)

7. Click Add

8. Click Close, then click OK

 For Internet Explorer:

1. Click Tools, then Internet Options

2. Go into the Security tab

3. Click Local intranet

4. Click Sites

5. Click Advanced

6. Enter the FQDN of the SecureAuth IdP server (e.g. https://secureauth.company.com/)

7. Click Add

8. Click Close, then click OK

For Firefox:

1. Start Firefox

2. In the address bar, type about:config and click to continue

3. Once loaded, do a search for network.automatic

4. A search result of network.automatic-ntlm-auth.trusted-uris will appear

5. Double click that to modify, and enter the SecureAuth IdP domain name (e.g. https://company_SecureAuth_FQDN.com)

6. Click OK and close Firefox

Optional

To specify multiple domains, use commas to separate the values, e.g. https://secureauth.domain1.com/,https://secureauth.domain2.com/

3. Grant the "Authenticated Users" group access to the signing certificate being used in the realm

Refer to this Knowledge Base Article for instructions

4. Run the GrantWebConfigKey.bat file on the SecureAuth IdP appliance (D:\MFCAPP_bin\Extras) in order to assign "Authenticated Users" permissions to the RSA .NET Framework Configuration Key

Upon running the file, a prompt appears to enable permissions for three builtin groups: Everyone, Domain Users, and Authenticated Users

Answer "N" (No) to Everyone and Domain Users and "Y" for Authenticated Users

5. Create a New Realm or edit an existing realm to which Windows SSO will be applied in the SecureAuth IdP Web Admin

6. Configure the following tabs in the Web Admin before configuring for Windows SSO:

  • Overview – the description of the realm and SMTP connections must be defined
  • Data – an enterprise directory must be integrated with SecureAuth IdP
  • Workflow – the way in which users will access the target must be defined
  • Registration Methods – the 2-Factor Authentication methods that will be used to access the target (if any) must be defined
  • Post Authentication – the target resource or post authentication action must be defined
  • Logs – the logs that will be enabled or disabled for this realm must be defined
SecureAuth IdP Configuration Steps

To configure a SecureAuth IdP realm for Windows Desktop SSO, select the realm for which this feature will be used and follow these steps:

Workflow

 

1. In the Workflow section, select Public Mode Only from the Public/Private Mode dropdown

2. Select UserName Only from the Authentication Mode dropdown

3. Select True from the User Impersonation dropdown

4. Select True from the Windows Authentication dropdown

Custom Front End

 

5. Select Token from the Receive Token dropdown

6. Select True from the Require Begin Site dropdown

7. Select Windows SSO from the Begin Site dropdown

8. WindowsSSO.aspx will auto-populate the Begin Site URL field

Click Save once the configurations have been completed and before leaving the Workflow page to avoid losing changes