Integrated Windows Authentication (IWA) is a feature of Microsoft Windows NT-based operating systems that allows automatically authenticated connections between the SSO Agent, Microsoft Internet Information Services (IIS), Internet Explorer, and other Active Directory-aware applications. Using IWA with the SSO Agent provides a streamlined single sign-on (SSO) experience for users who sign into the application portal or protected web applications from within your corporate domain.
By default, when a user attempts to access the application portal or a protected web application, the identity router redirects the user to the portal sign-in page. If not already authenticated, the user must enter valid sign-in credentials to continue. Using IWA, users who are already authenticated to your corporate domain can bypass the portal sign-in page.
If you enable IWA, the following occurs when a user attempts to access the application portal or a protected web application from within your corporate Windows domain:
- The identity router redirects the request to an IIS server on your network.
- The IIS server verifies the user's Windows authentication credentials against Active Directory.
- If verification succeeds, the IIS server provides a Security Assertion Markup Language (SAML) assertion, allowing the user to bypass the portal sign-in screen and access the portal or protected application without manually submitting basic account credentials.
- The SSO Agent prompts the user for additional authentication credentials if required by the access policy for the web application.