Configuring seamless SSO

By default, users must navigate to the Trust Protection Foundation login screen and enter their username to trigger the system's authentication routing. If you want to provide a truly seamless experience where users bypass the local login screen entirely, you can configure the system to accept Identity Provider-initiated login flows or use Integrated MS Windows Authentication.

Identity Provider-initiated (IdP-initiated) SSO

The most common way to bypass the local login screen in modern environments is to allow users to launch Trust Protection Foundation directly from your identity provider's central application dashboard (for example, clicking an application tile in Okta or Microsoft Entra ID).

To support this seamless routing:

  1. Ensure your identity provider is configured to support IdP-initiated flows.
  2. If you are using a SAML authentication profile, you must explicitly allow this behavior in Trust Protection Foundation. Open your identity connector's Single Sign-On tab and select the Unsolicited AuthN requests permitted checkbox.

Integrated MS Windows Authentication

If your organization uses Active Directory, you can use Integrated MS Windows Authentication to allow a user's web browser to automatically pass their current Windows desktop session credentials directly to the web console.

Requirements and limitations

  • Trust Protection Foundation must be a member of your Active Directory Windows domain.
  • Windows Authentication is only compatible with Active Directory identity connectors; it is not compatible with LDAP, SCIM, or local directories.

Step 1: Install the Windows Authentication server role

You must first ensure the underlying Windows server hosting Trust Protection Foundation supports this feature.

  1. In Windows, open Server Manager, click the Manage menu, and select Add Roles and Features.
  2. Progress through the wizard to the Server Roles page.
  3. Expand Web Server (IIS), expand Web Server, expand Security, and select Windows Authentication.
  4. Complete the wizard and install the role.

Step 2: Configure IIS authentication methods

Once the server role is installed, you must modify the IIS sites.

  1. Open Internet Information Services (IIS) Manager.
  2. In the Connections pane, expand your server and navigate to the Venafi site.
  3. Select the web console application you want to configure (for example, Aperture or VEDAdmin).
  4. Double-click the Authentication feature.
  5. Right-click Anonymous Authentication and select Disabled.
  6. Right-click Windows Authentication and select Enabled.

Step 3: Update application configuration mode

  1. Still in IIS Manager, select the web console application again.
  2. Under the Management section, double-click Configuration Editor.
  3. From the Section drop-down list, select system.web/authentication.
  4. In the Deepest Path group, expand the Forms node, and change the mode entry from None to Windows.
  5. Click Apply.
  6. Repeat Steps 2 and 3 for all necessary web consoles, and then open a command prompt and run iisreset to apply the changes.

Step 4: Configure the user's browser

For the seamless login to function, the user's machine must be configured to trust the server and automatically pass the credentials.

  1. On the user's local Windows machine, open Internet Options from the Control Panel.
  2. On the Security tab, select Trusted sites, click Sites, and add the Fully Qualified Domain Name (FQDN) of your Trust Protection Foundation server (or load balancer) to the list.
  3. Still on the Security tab, select the Local intranet zone, and click Custom Level....
  4. Scroll down to User Authentication > Logon, select Automatic logon with current user name and password, and click OK.
  5. Repeat the Custom Level configuration for the Trusted sites zone, and save your changes.