A typical Desktop SSO implementation uses Active Directory Connectors (ADCs) to manage authentication requests that are redirected from OneLogin. As an alternative, you can use a remote authentication script running in a Microsoft Internet Information Service (IIS) on your Windows network.
For information about implementing Desktop SSO using ADC, see Configuring Desktop SSO using Active Directory Connectors.
Microsoft Internet Information Service (IIS) with ASP
To implement Desktop SSO using a remote authentication script:
- Log in to your OneLogin account as an administrator.
Go to Settings > Desktop SSO to access the Desktop SSO page.
Enter your network IP addresses.
There are two options:
For new Desktop SSO configurations, enter your network IP addresses in the IP Addresses (required) field, separated by spaces.
Your OneLogin account must use a subdomain (
yoursubdomain.onelogin.com) and trigger Desktop SSO off of the subdomain. When you configure your script in step 7 below, ensure that your script sends to
app.onelogin.com. For more information about setting up your subdomain, see Branding.
If you use a proxy and firewall service like Zscaler, enter the IP addresses of the service, not your own host addresses as forwarded using
If you haven't enabled your subdomain (on the Branding page), or if you enabled Desktop SSO before December 21, 2015 and want to update your IP address list, you must contact OneLogin customer support and provide them with your public gateway network's IP addresses.
Support will ask you for additional details to verify your account ownership. When support has verified your account ownership and has entered the IP addresses for you, the IP addresses will appear in the Global IP Addresses (Legacy) field (read-only) after you save the page.
Select Include mobile devices to redirect authentication requests that are initiated from mobile devices on your network to Desktop SSO.
Your users' mobile browsers must support IWA. It is usually best to exclude mobile devices from Desktop SSO. Contact OneLogin support for guidance.
Download the remote authentication script.
Under Redirect URL, select Fixed URL (used for IIS scripts or Single Connector DSSO environments)
Click the Download Remote Authentication Script link.
OneLogin generates the script using your account settings.
Edit the script to add a domain/username and password to grant LDAP access.
sLdapReaderUsername = "your_domain/username"
sLdapReaderPassword = "your_password"
These credentials must validate against your Active Directory over LDAP.
The example below shows an edited script file:
Make note of where you save the script. You will provide the server address and script location to OneLogin in a later step. In our example, we save it to
Configure IIS to enable Windows Authentication.
As a member of your Admininstrators group or as a delegated user on your Windows Server machine, start Internet Information Services (IIS) Manager.
See your Windows Server documentation to learn how to start and use IIS.
- Select your server.
- Select Authentication.
- Disable Anonymous Authentication and enable Windows Authentication.
If you don't see the Windows Authentication option, go to Server Manager or the Add Roles and Features Wizard (depending on your Windows Server version) to add a Role Service. Under Security, enable Windows Authentication. The example below is from Windows Server 2008.
Return to OneLogin and go to Settings > Desktop SSO to enter the address of the redirect script on your server.
Select Fixed URL (used for IIS scripts) and enter the script address (in the format
http://server_address/path_to_script) in the Script Redirect URL field.
- Click Save.