Integrated Windows Authentication
Integrated Windows Authentication (IWA) is a feature of Microsoft Windows NT-based operating systems that allows automatically authenticated connections between the IDR SSO Agent, Microsoft Internet Information Services (IIS), Internet Explorer, and other Active Directory-aware applications. Using IWA with the IDR SSO Agent provides a streamlined single sign-on (SSO) experience for users who sign into the application portal or protected web applications from within your corporate domain.
Learn more:
Process Flow and User Experience
By default, when a user attempts to access the application portal or a protected web application, the identity router redirects the user to the portal sign-in page. If not already authenticated, the user must enter valid sign-in credentials to continue. Using IWA, users who are already authenticated to your corporate domain can bypass the portal sign-in page.
If you enable IWA, the following occurs when a user attempts to access the application portal or a protected web application from within your corporate Windows domain:
The identity router redirects the request to an IIS server on your network.
The IIS server verifies the user's Windows authentication credentials against Active Directory.
If verification succeeds, the IIS server provides a Security Assertion Markup Language (SAML) assertion, allowing the user to bypass the portal sign-in screen and access the portal or protected application without manually submitting basic account credentials.
The IDR SSO Agent prompts the user for additional authentication credentials if required by the access policy for the web application.
High Availability for Integrated Windows Authentication
You can provide high availability for IWA authentication by deploying more than one IWA Connector server behind the load balancer. This ensures that SAML IdP requests are load-balanced and avoid a single point of failure. To configure high availability, perform these steps:
Deploy the IWA connector in two or more IIS servers. Both IIS servers must point to the same Active Directory domain.
Configure both connectors in exactly the same way, for example, with the same Issuer ID, Issuer Signing Certificate, and so on.
In the Issuer URL field, specify the load balancer hostname for a cluster of IWA Connector servers. For instructions, see step 10 in the Add Integrated Windows Authentication as an Identity Provider section of Deploying Integrated Windows Authentication .
Deploy a load balancer that is "sticky," keeping user sessions on the server where they started.
Related Tasks
Related Articles
RSA November 2023 Release Announcements Number of Views Cloud Access Service - Integrated Windows Authentication Number of Views Microsoft Integrated Windows Authentication (IWA) fails with 'no uid mapping' error in RSA Access Manager 6.1 Number of Views Deploying Integrated Windows Authentication Number of Views Configure User Browsers for Integrated Windows Authentication Number of Views
Trending Articles
How to recover the Application and AFX after an unexpected database failure in RSA Identity Governance & Lifecycle Troubleshooting AFX Connector issues in RSA Identity Governance & Lifecycle RSA MFA Agent 2.3.6 for Microsoft Windows Installation and Administration Guide RSA Release Notes for RSA Authentication Manager 8.8 RSA Authentication Manager 8.9 Release Notes (January 2026)
