Use to leverage the authentication already done on the windows workstation.

Please make sure that a SAMLDatasave authenticator is placed in front of this authenticator.


Name Description Default value Mandatory
idpID The internal identifier of the idp used N/A Yes
pipeID ID of the pipe to execute used to verify user credentials N/A Yes
authProtocol What IWA mechanism to use when talking to the client. Allowed values are 'NTLM' or 'Negotiate' NTML No
loginTemplate Template used when presenting end-user UI. This template is wher euser enters credantials winsso.template No
allowLanguageChange Should user be able to change template language N/A No
enableHoneypot Enable/disable bot protection true No
translationKey Body used in template. Value in this will try to map against language used by end-user login.messages.information.body No
includeQueryString Should initial query string parameters be passed on false No
errorRedirect Where to send user agent if pipe fails N/A No
iwaSSOTarget Where to initiate client IWA authenticate ajax POST. Example: /saml/authenticate/AUTHENTICATOR_ALIAS Current browser path No
iwa_error_redirect If iwa fails, where to send client. N/A No
sendSAMLResponseOnError Whether or not a SAMLResponse containing an error response should be sent back to the SP upon an internal authentication error. false No
strictValidation Whether or not additional validation checks should be made on the SAMLRequest. false No
resolveSAMLRequestProperties Whether or not request properties from the SAML AuthnRequest should be resolved before proceeding with the authentication. Typically used at the start of an authentication flow. false No

Example Configuration

    "alias": "samlwin",
    "name": "SAMLWindowsSSO",
    "configuration": {
        "idpID": "",
        "pipeID": "authPipe1",
        "iwaSSOTarget": "/saml/authenticate/samlwin",
    "id": "samlwin"


PAS must be installed on a windows host belonging to the same domain as the clients used by the users.

This authenticator MUST be used together with a SAMLDatasave authenticator.

Number of group membership restrictions

Users with a large number of group memberships may encounter problems with Kerberos authentication. Please view this article for more information: