Integrated Windows Authentication (IWA) is an optional Windows configuration for seamless SAML SSO authentication. IWA requires client machine access to the Internal SSO host — either while connected to the corporate network or through a VPN connection


Please refer to the following MSKB for more information: https://learn.microsoft.com/en-us/aspnet/web-api/overview/security/integrated-windows-authentication



Mozilla Firefox

Firefox requires https for IWA

  1. Open Firefox and navigate to about:config
  2. Edit the following settings:

  

SettingValue
network.negotiate-auth.delegation-urishttps://<yourIWAServer.yourdomain.local>
network.automatic-ntlm-auth.trusted-urishttps://<yourIWAServer.yourdomain.local>
network.automatic-ntlm-auth.allow-proxiesTrue
network.negotiate-auth.allow-proxiesTrue


Firefox with NoScript Extension
  1. Download and install the NoScript extension
  2. Click Options > Whitelist
  3. In the Address of website field:
    1. Enter <yourdomain.local> (domain of IWA server) then click Allow
    2. Enter getsilo.com then click Allow
    3. Navigate to Advanced > ABE > SYSTEM
    4. Review and copy the RuleSet example then click OK

# Prevent Internet sites from requesting LAN resources


Site LOCAL

Accept from LOCAL


# Allow Silo login portal

Site https://getsilo.com/for/<vanity_url>

Accept from https://getsilo.com/for/<vanity_url>


# Allow internal IWA server

Site https://<yourIWAServer.yourdomain.local>

Accept from https://<yourIWAServer.yourdomain.local>


# Deny all other cross-origin access attempts

Deny


Google Chrome

3rd-party guideline: https://specopssoft.com/blog/configuring-chrome-and-firefox-for-windows-integrated-authentication/

 

Sample batch script:

@echo off

cd /d "C:\Program Files (x86)\Google\Chrome\Application"


start chrome.exe ^

  --auth-server-whitelist="InternalSSOHostserver.domain.com" ^

  --auth-negotiate-delegate-whitelist="InternalSSOHostserver.domain.com" ^

  --auth-schemes="digest,ntlm,negotiate"


Microsoft Edge

Based on limited testing with ADFS as the SAML SSO IdP, Microsoft Edge supports IWA by default



Please contact Support for any additional questions