Description of use IWA parameter used in Integrated Windows Authentication settings

Interprets the meaning of the use IWA parameter in IWA settings

For end users to experience desktop SSO with their windows applications, the IT administrator should configure the use IWA parameter as described here:
Use IWA Settings Description
Use IWA value Interpretation
Never (default) Desktop SSO is never used on this IdP. IWA is disabled.
Always IWA is enabled. Desktop SSO will always be used with this IdP, irrespective of whether the user is on or off the premise, device characteristics like browser or operating system type. If user is off the network, they will not be able to authenticate with the IdP. If they are off-net or device that has not joined the windows domain, they will get 401 Authorization required error.
When-applicable IWA is enabled. Desktop SSO will only be used when ALL of these configured conditions are satisfied:
  • The device is on-net (either when the end user is on VPN or on a subnet that matches the value in on premise subnet and user on premise checked on the domain joined machine. See Add public IP gateways to an IdP for adding on premise subnet )
  • End user’s browser matches the regular expression configured.
  • End user’s operating system matches the regular expression configured.

If any of these conditions are not met, end user is presented with login form for entering username and password.