SAMLWindowsSSO
Warning
This authenticator is a legacy authenticator. It is recommended to plan for migrating the authenticator to the new protocol agnostic authenticator architecture. More information about the legacy authenticators can be found here.
Note
Use to leverage the authentication already done on the windows workstation.
Please make sure that a SAMLDatasave authenticator is placed in front of this authenticator.
Properties
| Name | Description | Default value | Mandatory |
|---|---|---|---|
| idpID | The internal identifier of the idp used | N/A | Yes |
| pipeID | ID of the pipe to execute used to verify user credentials | N/A | Yes |
| authProtocol | What IWA mechanism to use when talking to the client. Allowed values are 'NTLM' or 'Negotiate' | NTML | No |
| loginTemplate | Template used when presenting end-user UI. This template is wher euser enters credantials | winsso.template | No |
| allowLanguageChange | Should user be able to change template language | N/A | No |
| enableHoneypot | Enable/disable bot protection | true | No |
| translationKey | Body used in template. Value in this will try to map against language used by end-user | login.messages.information.body | No |
| includeQueryString | Should initial query string parameters be passed on | false | No |
| errorRedirect | Where to send user agent if pipe fails | N/A | No |
| iwaSSOTarget | Where to initiate client IWA authenticate ajax POST. Example: /saml/authenticate/AUTHENTICATOR_ALIAS | Current browser path | No |
| iwa_error_redirect | If iwa fails, where to send client. | N/A | No |
| sendSAMLResponseOnError | Whether or not a SAMLResponse containing an error response should be sent back to the SP upon an internal authentication error. | false | No |
| strictValidation | Whether or not additional validation checks should be made on the SAMLRequest. | false | No |
| resolveSAMLRequestProperties | Whether or not request properties from the SAML AuthnRequest should be resolved before proceeding with the authentication. Typically used at the start of an authentication flow. | false | No |
Example Configuration
{
"alias": "samlwin",
"name": "SAMLWindowsSSO",
"configuration": {
"idpID": "clavister.ninja",
"pipeID": "authPipe1",
"iwaSSOTarget": "/saml/authenticate/samlwin",
},
"id": "samlwin"
}
Requirements
PAS must be installed on a windows host belonging to the same domain as the clients used by the users.
This authenticator MUST be used together with a SAMLDatasave authenticator.
Number of group membership restrictions
Users with a large number of group memberships may encounter problems with Kerberos authentication. Please view this article for more information: Kerberos authentication problems - Windows Server | Microsoft Learn