Integrated Windows Authentication

Integrated Windows Authentication (IWA) is a feature of Microsoft Windows NT-based operating systems that allows automatically authenticated connections between the IDR SSO Agent, Microsoft Internet Information Services (IIS), Internet Explorer, and other Active Directory-aware applications. Using IWA with the IDR SSO Agent provides a streamlined single sign-on (SSO) experience for users who sign into the application portal or protected web applications from within your corporate domain.

Learn more:

Process Flow and User Experience

By default, when a user attempts to access the application portal or a protected web application, the identity router redirects the user to the portal sign-in page. If not already authenticated, the user must enter valid sign-in credentials to continue. Using IWA, users who are already authenticated to your corporate domain can bypass the portal sign-in page.

If you enable IWA, the following occurs when a user attempts to access the application portal or a protected web application from within your corporate Windows domain:

  1. The identity router redirects the request to an IIS server on your network.

  2. The IIS server verifies the user's Windows authentication credentials against Active Directory.

  3. If verification succeeds, the IIS server provides a Security Assertion Markup Language (SAML) assertion, allowing the user to bypass the portal sign-in screen and access the portal or protected application without manually submitting basic account credentials.

  4. The IDR SSO Agent prompts the user for additional authentication credentials if required by the access policy for the web application.

High Availability for Integrated Windows Authentication

You can provide high availability for IWA authentication by deploying more than one IWA Connector server behind the load balancer. This ensures that SAML IdP requests are load-balanced and avoid a single point of failure. To configure high availability, perform these steps:

  1. Deploy the IWA connector in two or more IIS servers. Both IIS servers must point to the same Active Directory domain.

  2. Configure both connectors in exactly the same way, for example, with the same Issuer ID, Issuer Signing Certificate, and so on.

  3. In the Issuer URL field, specify the load balancer hostname for a cluster of IWA Connector servers. For instructions, see Add Integrated Windows Authentication as an Identity Provider.

  4. Deploy a load balancer that is "sticky," keeping user sessions on the server where they started.