Documentation

Table of Contents

Other Resources

Versions Compared

Old Version 17

changes.mady.by.user Sheila Morgan-DeChellis

Saved on

compared with

New Version Current

changes.mady.by.user Sheila Morgan-DeChellis

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

You can configure realms to use Windows desktop SSO in any of the following ways:

Definition List
Windows SSOWhen the Begin Site is configured to use Windows SSO login workflow, you have the option to include multi-factor authentication (MFA) and adaptive authentication.  This method is more secure because it includes the Device Recognition layer. 

Windows SSO (skip workflow)When the Begin Site is configured to use Windows SSO (skip workflow), it bypasses the login workflow, skips MFA, and routes the user directly to the Post Authentication page once it validates the Kerberos ticket. This method bypasses the Device Recognition layer, however, it increases system performance. 

Prerequisites



Excerpt

Enable universal Windows desktop SSO in the environment

The most effective way to enable universal Windows desktop SSO is to push out a local intranet URL via Group Policy Object (GPO); however, end users can also configure their own devices and browsers to enable this feature.

To enable Windows desktop SSO

  1. Add the SecureAuth IdP server Fully Qualified Domain Name (FQDN) to the Local intranet list of websites in Chrome, Internet Explorer, and Firefox browsers.

    UI Tabs
    UI Tab
    titleChrome

    Chrome

    1. In the Google Chrome browser, click the menu icon (3 vertical dots) on right of the address toolbar. 
    2. Click Settings.
    3. Scroll to the bottom of the page and expand the Advanced section. 
    4. In the System section, click Open proxy settings
      The Internet Properties dialog opens. 
    5. Select the Security tab.
    6. Click Local intranet
    7. Click Sites
    8. Click Advanced
      The Local intranet dialog opens. 

    9. Enter the FQDN of the SecureAuth IdP server (for example,  https://secureauth.company.com/).

      UI Text Box
      sizemedium
      typenote

      Wildcards are an option in addition to FQDNs, however, it lessens the security stance.

    10. Click Add
    11. Click Close and OK to the remaining dialogs.
    UI Tab
    titleInternet Explorer

    Internet Explorer

    1. In the Internet Explorer browser, click the gear icon on right side of the address toolbar. 
    2. Click Internet options.
      The Internet Options dialog opens. 
    3. Select the Security tab. 
    4. Click Local intranet.
    5. Click Sites.
    6. Click Advanced.
      The Local intranet dialog opens. 

    7. Enter the FQDN of the SecureAuth IdP server (example: https://secureauth.company.com/).

      UI Text Box
      sizemedium
      typenote

      Wildcards are an option in addition to FQDNs, however, it lessens the security stance.

    8. Click Add.
    9. Click Close and OK to the remaining dialogs.
    UI Tab
    titleFirefox

    Firefox

    1. On the Firefox address bar, type type about:config and press Enter.
    2. Accept the warranty risk message and continue.
    3. On the configuration page, search for network.automatic .
    4. Double-click  network.automatic-ntlm-auth.trusted-uris .
      The Enter string value dialog opens. 

    5. Enter the SecureAuth IdP domain name in the dialog (example: https://company_SecureAuth_FQDN.com).

      UI Text Box
      sizemedium
      typenote

      Wildcards are an option in addition to FQDNs, however, it lessens the security stance. 

    6. Click OK and close Firefox.

  2. Grant the "Authenticated Users" group access to the signing certificate being used in the realm.
    For instructions, see Grant Permission to Use Signing Certificate Private Key.

  3. Install the Machine Key Tool per the instructions in the document.

    1. Run the Machine Key Tool to assign "Authenticated Users" permissions to the RSA .NET Framework Configuration Key.

    2. Select option A on the Privileges tab in the document.

...

  1. Go to the Workflow tab. 

  2. In the Workflow section, set the following: 

    Borderless_tables
    Default Workflow

    Set to Username only

    UI Text Box
    sizemedium
    typenote

    To configure two-factor authentication (2FA), select Username | Second Factor

    Public/Private ModeSet to Public Mode Only

    Image RemovedImage Added

  3. In the Custom Identity Consumer section, set the following: 

    Borderless_tables
    Receive TokenSet to Token
    Require Begin SiteSet to True
    Begin Site

    Use any of the following options: 

    • To include MFA and adaptive authentication in login workflow, set to Windows SSO. This method adds the Device Recognition layer, and is more secure.
    • To skip the login workflow and go directly to the Post Authentication page, set to Windows SSO (skip workflow). This method does not include MFA, adaptive authentication, and increases performance. 
    Begin Site URLDepending on the Begin Site selection, this field is auto-populated with WindowsSSO.aspx or WindowsSSO2.aspx.
    User ImpersonationSet to True
    Windows AuthenticationSet to True
    Use Kernel ModeTo use custom Service Principal Names for Integrated Windows Authentication (Kerberos), set to True
    AppPool CredentialsTo use custom Service Principal Names for Integrated Windows Authentication (Kerberos), set to True

    Image Removed Image Added

  4. Click Save