Configuring Windows Auth as an Identity Provider

The EmpowerID SSO Connector framework allows you to configure an Identity Provider connection for Windows Authentication to allow your users the ability to log in to EmpowerID using their Windows credentials.

For users to log in to EmpowerID using their Windows credentials, they must have user accounts either in the domain being protected by EmpowerID or in a domain trusted by that domain.

This topic describes how to configure an SSO connection for Windows Authentication and is divided into the following activities:

To configure the SSO Connection for Windows Authentication

  1. From the Navigation Sidebar of the EmpowerID Web interface, navigate to the SAML Connections management page by expanding Admin > Applications and Directories > SSO Connections and clicking SAML.
  2. From the SAML Connections tab of SAML SSO Manager, search for Windows.
  3. From the SAML Connections grid, click the drop-down arrow for the Login Using Windows record and click Edit.
  4. From the General tab of the Connection Details page that appears, do the following:
    1. Optionally, if you are using multi-factor authentication and you want to edit the default MFA Point Value for Windows auth, scroll to the Connection Details section and type a new value in the MFA Point Value field.
    2. Scroll to the Account Information section and select the directory for your AD domain from the Account Directory drop-down.
    3. Optionally, scroll to the Single Logout Configuration section and enter a logout URL in the Logout URL field.
    4. Leave all other fields as is.
  5. Click the Domains tab at the top of the page and then click the Add (+) button in the Assigned Domains section.
  6. In the Add Domain dialog that appears, type the name of an existing EmpowerID domain for which you want a Windows login tile to appear on the Login page and then click the tile for that domain.
  7. If you have not set up an IdP Domain for your environment, you can do so by following the directions in the below drop-down.
    • To create an IdP Domain
      1. From the Navigation Sidebar, navigate to the SSO Components management page by expanding Admin > Applications and Directories > SSO Connections and clicking SSO Components.
      2. Click the IdP Domains tab and then click the Add IdP Domain (+) button.
      3. Type the fully qualified domain name in the Domain Name field and then click Save.
  8. Click Save to close the Add Domain dialog.
  9. Back in the Connections Details page, click Save to save your changes.
If you want to give users the ability to log in to the IdP Domain using their EmpowerID accounts, add EmpowerID to the domain as a SAML Identity Provider. Other login options include social media applications like Facebook or LinkedIn.

To test the SSO connection

  1. From the Navigation Sidebar, navigate to the Workflows page by expanding IT Shop and clicking Workflows.
  2. From the Workflows page, recycle the EmpowerID App Pools by clicking Recycle EmpowerID App Pools.
  3. Log out of the EmpowerID Web interface and navigate your browser to the domain name you configured for Windows auth.
  4. When prompted, enter your Windows credentials and then click OK.
  5. If you chose to give users accessing your portal the ability to log in using their EmpowerID accounts (or any other account) and you did not create an IP Address Range, they will be directed to the login page, where they could select a different login option. In this article, Windows Auth is the only login option for the portal so users will simply be prompted for their Windows credentials.
    Depending on your organizational policy for browser settings, after their first login, users may or may not be prompted for credentials.