Introduction
The CoreOne Suite offers the possibility of Integrated Windows Authentication (IWA). This allows the user to log in using automatically to any SSO application without the need of entering their Windows credentials. The credentials are passed from the Windows authentication directly to the web server and the user will have seamless SSO experience. This article describes how to configure IWA.
Preconditions
The user must be logged into a domain joined client
The web server must be joined to the same domain as the client
Step 1 - SSO - Authentication level & Method
Add an entry in the Authentication level tab for IWA and add the Authentication method Windows Authentication to it.
...
Navigate to the menu entry SSO, click on Level of Authentication, then select the Authentication Level you want to add the Integrated Windows Authentication.
In the tab Level of authentication entry add a new entry for Integrated Windows Authentication
Once the new entry is created click on it to open the corresponding configuration.
In thetab Authentication method, add a new entry and select Windows Authentication
| Info |
|---|
If you can’t choose “Windows Authentication“, you have to activate “Windows Authentication“ in the database: SELECT * FROM moving_appcustomer_900000.servicecorelogin_logon_method where ID = 10; |
Step 2 - Target System settings
...
Enter the Authentication Domain Name to your Active Directory Target System.
...
In the tab system feature activate the function “Authentication provider active”
...
Navigate to the menu entry System Configuration, click on Target Systems, then select the active directory target system you want to add the Integrated Windows Authentication.
Edit the target system in and add/edit the attribute Authentication Domain Name, it should contain the corresponding Domain Name of the target System. (To find out the Authentication Domain Name, you can open CMD on the domain controller and enter "whoami." The value before the backslash is the Authentication Domain Name.)
Open the tab System Feature and activate the function Authentication Provider active.
Step 3 - Identity Type settings
Activate the function “Authentication Provider active” for the corresponding Active Directory Identity on the tab “Identity type Features”
...
Sept 4 - IIS Settings
In the IIS Settings navigate to the site wehre the CoreOne Authentication Service is configured.
In the Authentication pane, select Windows Authentication, and then click Enable in the Actions pane.
...
Further instructions for configuring the IISNavigate to the menu entry Identity Management, click on Identity Types, then select the identity type for whom you want to add the Integrated Windows Authentication.
In the tab Identity Type Features activate the function Authentication Provider active.
Step 4 - Identity Provisioning Configuration
Navigate to the menu entry Identity Management, click on Identity Provisioning Configurations.
Make sure the CoreOne Suite Account and the provisioning configuration where you want to use Integrated Windows Authentication have different Usernames.
For the Active Directory this means the Sam-Account-Name has to be different than the username of the CoreOne Suite Account.
Step 5 - IIS Settings
Enable Windows Authentication in IIS for the site where the CoreOne Authentication Service according to this link: https://docs.microsoft.com/en-us/iis/configuration/system.webserver/security/authentication/windowsauthentication/
Important
...
Step 6 (Optional) - Internet Explorer Settings
Usually this step is in the responsibility of the customer and should be done by him (usually through a group policy) and is only necessary for our internal systems:
Enable IWA for IE and Edge:
https://help.hcltechsw.com/domino/11.0.1/admin/secu_preparing_ie_for_adfs.html