Integrated Windows AuthenticationIntegrated Windows Authentication
Integrated Windows Authentication (IWA) is a feature of Microsoft Windows NT-based operating systems that allows automatically authenticated connections between the SSO Agent, Microsoft Internet Information Services (IIS), Internet Explorer, and other Active Directory-aware applications. Using IWA with the SSO Agent provides a streamlined single sign-on (SSO) experience for users who sign into the application portal or protected web applications from within your corporate domain.
Process Flow and User Experience Process Flow and User Experience
By default, when a user attempts to access the application portal or a protected web application, the identity router redirects the user to the portal sign-in page. If not already authenticated, the user must enter valid sign-in credentials to continue. Using IWA, users who are already authenticated to your corporate domain can bypass the portal sign-in page.
If you enable IWA, the following occurs when a user attempts to access the application portal or a protected web application from within your corporate Windows domain:
The identity router redirects the request to an IIS server on your network.
The IIS server verifies the user's Windows authentication credentials against Active Directory.
If verification succeeds, the IIS server provides a Security Assertion Markup Language (SAML) assertion, allowing the user to bypass the portal sign-in screen and access the portal or protected application without manually submitting basic account credentials.
The SSO Agent prompts the user for additional authentication credentials if required by the access policy for the web application.
High Availability for Integrated Windows AuthenticationHigh Availability for Integrated Windows Authentication
You can provide high availability for IWA authentication by deploying more than one IWA Connector server behind the load balancer. This ensures that SAML IdP requests are load-balanced and avoid a single point of failure. To configure high availability, perform these steps:
Deploy the IWA connector in two or more IIS servers. Both IIS servers must point to the same Active Directory domain.
Configure both connectors in exactly the same way, for example, with the same Issuer ID, Issuer Signing Certificate, and so on.
In the Issuer URL field, specify the load balancer hostname for a cluster of IWA Connector servers. For instructions, see Add Integrated Windows Authentication as an Identity Provider.
Deploy a load balancer that is "sticky," keeping user sessions on the server where they started.