When your client machines are domain-joined and you want your SSO to be seamless, you need to use Integrated Windows Authentication (IWA). IWA will only work when your client machines can contact your internal Single Sign On Host Server either through VPN or when on the corporate network in the office.

IWA for Windows Clients

Mozilla Firefox

Note: Firefox requires your IWA service to be using https.

  1. Open Firefox and navigate to about:config
  2. Edit the following settings:


Firefox with NoScript: 
If your users are utilizing the popular NoScript add-in use these instructions to configure NoScript for IWA
  1. Click the NoScript icon
  2. Click Options > Whitelist
  3. In the "Address of website" box
    1. Type <yourdomain.local> (domain of IWA server) then click Allow
    2. Type "getsilo.com" (without the quotes) then click Allow
  4. Click Advanced > ABE > SYSTEM
  5. Copy this configuration into your Ruleset then click OK
Google Chrome

See http://www.specopssoft.com/configuring-chrome-and-firefox-for-windows-integrated-authentication/ for all the details. The simplest way to test this is with a batch script.


cd\Program Files (x86)\Google\Chrome\Application

chrome.exe -auth-server-whitelist="InternalSSOHostserver.domain.com" -auth-negotiate-delegatewhitelist="InternalSSOHostserver.domain.com" -auth-schemes="digest,ntlm,negotiate""


Microsoft Internet Explorer

  1. Tools
  2. Internet Options
  3. Security
  4. Local intranet
  5. Custom Level > Scroll to bottom of list > Ensure User Authentication Logon is set for "Automatic Logon only in Intranet Zone" > OK

  6. Sites

  7. Advanced

  8. Type http://InternalSSOHostserver.domain.com then click Add, type https://InternalSSOHostserver.domain.com then click Add

Microsoft Edge

It appears that Edge does IWA automatically from our limited testing with ADFS as the SSO IdP.