Version Affected: 24.4.x
Description:
This article will explain how to setup WindowsSSO / IWA for internal access and MFA for external access using the New UI with a two realm setup.
Users will be directed to go to Realm A first and based off IP they will either be prompted for MFA or redirected to Realm B for WindowsSSO / IWA.
Instructions:
Realm A Policy Setup for MFA and / or redirect for WindowsSSO / IWA.
-
Create a new Policy for External Access (MFA)
-
On “Authentication Rules” tab Add a New Rule “IP Range” to redirect if user is coming from an Internal IP range (trusted IP’s) to Realm B for WindowsSSO / IWA workflow. If not coming from trusted IP user will remain on Realm A for MFA.
-
On “Login Workflow” tab select the login MFA workflow as desired.
-
See screenshots:
-
Realm B Policy Setup for WindowsSSO / IWA.
-
Create a new Policy for Internal Access (WindowsSSO / IWA)
-
On “Authentication Rules” tab Add a New Rule “IP Range” to “Skip MFA” if user is coming from an Internal IP range (trusted IP’s).
-
On “Login Workflow” tab select “Passwordless”.
-
Go to “Advanced Settings” and select Realm B workflow tab.
-
Scroll down to “Custom Identity Consumer” section.
-
Set the following settings
-
Receive Token: Token
-
Require Begin Site: True
-
Begin Site: Windows SSO
-
Begin Site URL: WindowsSSO.aspx
-
User Impersonation: True
-
Windows Authentication: True
-
SecureAuth Knowledge Base Articles provide information based on specific use cases and may not apply to all appliances or configurations. Be advised that these instructions could cause harm to the environment if not followed correctly or if they do not apply to the current use case.
Customers are responsible for their own due diligence prior to utilizing this information and agree that SecureAuth is not liable for any issues caused by misconfiguration directly or indirectly related to SecureAuth products.
Comments
Please sign in to leave a comment.