Use to leverage the authentication already done on the windows workstation.

Please make sure that a SAMLDatasave authenticator is placed in front of this authenticator.


Name Description Default value Mandatory
idpID The internal identifier of the idp used N/A Yes
pipeID ID of the pipe to execute used to verify user credentials N/A Yes
authProtocol What IWA mechanism to use when talking to the client. Allowed values are 'NTLM' or 'Negotiate' NTML No
loginTemplate Template used when presenting end-user UI. This template is wher euser enters credantials winsso.template No
allowLanguageChange Should user be able to change template language N/A No
enableHoneypot Enable/disable bot protection true No
translationKey Body used in template. Value in this will try to map against language used by end-user login.messages.information.body No
includeQueryString Should initial query string parameters be passed on false No
errorRedirect Where to send user agent if pipe fails N/A No
iwaSSOTarget Where to initiate client IWA authenticate ajax POST. Example: /saml/authenticate/AUTHENTICATOR_ALIAS Current browser path No
iwa_error_redirect If iwa fails, where to send client. N/A No
strictValidation Whether or not additional validation checks should be made on the SAMLRequest. false No

Example Configuration

    "alias": "samlwin",
    "name": "SAMLWindowsSSO",
    "configuration": {
        "idpID": "",
        "pipeID": "authPipe1",
        "iwaSSOTarget": "/saml/authenticate/samlwin",
    "id": "samlwin"


PAS must be installed on a windows host belonging to the same domain as the clients used by the users.

This authenticator MUST be used together with a SAMLDatasave authenticator.

Number of group membership restrictions

Users with a large number of group memberships may encounter problems with Kerberos authentication. Please view this article for more information: