Unable to render embedded object: File (Emp18Notice.png) not found.

Skip to end of banner
Go to start of banner

Configuring Windows Auth as an Identity Provider

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Current »

/wiki/spaces/E2D/pages/29982926  /  Single Sign-On and MFA  /  Configuring SSO Connections  /  Identity Provider Connections  /  Current: Configuring Windows Auth as an Identity Provider

The EmpowerID SSO Connector framework allows you to configure an Identity Provider connection for Windows Authentication to allow your users the ability to log in to EmpowerID using their Windows credentials.

For users to log in to EmpowerID using their Windows credentials, they must have user accounts either in the domain being protected by EmpowerID or in a domain trusted by that domain.

This topic describes how to configure an SSO connection for Windows Authentication and is divided into the following activities:

  • Configuring an SSO connection for Windows Authentication
  • Testing the SSO connection

To configure the SSO Connection for Windows Authentication

  1. From the Navigation Sidebar of the EmpowerID Web interface, navigate to the SAML Connections management page by expanding Admin > Applications and Directories > SSO Connections and clicking SAML.
  2. From the SAML Connections tab of SAML SSO Manager, search for Windows.
  3. From the SAML Connections grid, click the drop-down arrow for the Login Using Windows record and click Edit.




  4. From the General tab of the Connection Details page that appears, do the following:
    1. Optionally, if you are using multi-factor authentication and you want to edit the default MFA Point Value for Windows auth, scroll to the Connection Details section and type a new value in the MFA Point Value field.




    2. Scroll to the Account Information section and select the directory for your AD domain from the Account Directory drop-down.




    3. Optionally, scroll to the Single Logout Configuration section and enter a logout URL in the Logout URL field.




    4. Leave all other fields as is.

  5. Click the Domains tab at the top of the page and then click the Add (+) button in the Assigned Domains section.

In the Add Domain dialog that appears, type the name of an existing EmpowerID domain for which you want a Windows login tile to appear on the Login page and then click the tile for that domain.



If you have not set up an IdP Domain for your environment, you can do so by following the directions in the below drop-down.



  1. Click Save to close the Add Domain dialog.
  2. Back in the Connections Details page, click Save to save your changes.

To test the SSO connection

  1. From the Navigation Sidebar, expand IT Shop and click Workflows.
  2. From the Workflows page, recycle the EmpowerID App Pools by clicking Recycle EmpowerID App Pools.




  3. Log out of the EmpowerID Web interface and navigate your browser to the domain name you configured for Windows auth.

  4. When prompted, enter your Windows credentials and then click OK.



    If you chose to give users accessing your portal the ability to log in using their EmpowerID accounts (or any other account) and you did not create an IP Address Range, they will be directed to the login page, where they could select a different login option. In this article, Windows Auth is the only login option for the portal so users will simply be prompted for their Windows credentials.

     Depending on your organizational policy for browser settings, after their first login, users may or may not be prompted for credentials.



  • No labels