Menu
AWS Directory Service
Administration Guide (Version 1.0)

Single Sign-On for IE and Chrome

To allow Microsoft's Internet Explorer (IE) and Google's Chrome browsers to support single sign-on, the following tasks must be performed on the client computer:

  • Add your access URL (e.g., https://<alias>.awsapps.com) to the list of approved sites for single sign-on.

  • Enable active scripting (JavaScript).

  • Allow automatic logon.

  • Enable integrated authentication.

You or your users can perform these tasks manually, or you can change these settings using Group Policy settings.

Manual Update for Single Sign-On on Windows

To manually enable single sign-on on a Windows computer, perform the following steps on the client computer. Some of these settings may already be set correctly.

To manually enable single sign-on for Internet Explorer and Chrome on Windows

  1. To open the Internet Properties dialog box, choose the Start menu, type Internet Options in the search box, and choose Internet Options.

  2. Add your access URL to the list of approved sites for single sign-on by performing the following steps:

    1. In the Internet Properties dialog box, select the Security tab.

    2. Select Local intranet and choose Sites.

    3. In the Local intranet dialog box, choose Advanced.

    4. Add your access URL to the list of websites and choose Close.

    5. In the Local intranet dialog box, choose OK.

  3. To enable active scripting, perform the following steps:

    1. In the Security tab of the Internet Properties dialog box, choose Custom level.

    2. In the Security Settings - Local Intranet Zone dialog box, scroll down to Scripting and select Enable under Active scripting.

      
                                            Internet Explorer enable scripting
                                                setting
    3. In the Security Settings - Local Intranet Zone dialog box, choose OK.

  4. To enable automatic logon, perform the following steps:

    1. In the Security tab of the Internet Properties dialog box, choose Custom level.

    2. In the Security Settings - Local Intranet Zone dialog box, scroll down to User Authentication and select Automatic logon only in Intranet zone under Logon.

      
                                            Internet Explorer automatic logon
                                                setting
    3. In the Security Settings - Local Intranet Zone dialog box, choose OK.

    4. In the Security Settings - Local Intranet Zone dialog box, choose OK.

  5. To enable integrated authentication, perform the following steps:

    1. In the Internet Properties dialog box, select the Advanced tab.

    2. Scroll down to Security and select Enable Integrated Windows Authentication.

      
                                            Internet Explorer automatic logon
                                                setting
    3. In the Internet Properties dialog box, choose OK.

  6. Close and re-open your browser to have these changes take effect.

Manual Update for Single Sign-On on OS X

To manually enable single sign-on for Chrome on OS X, perform the following steps on the client computer. You will need administrator rights on your computer to complete these steps.

To manually enable single sign-on for Chrome on OS X

  1. Add your access URL to the AuthServerWhitelist policy by running the following command:

    defaults write com.google.Chrome AuthServerWhitelist "https://<alias>.awsapps.com"
  2. Open System Preferences, go to the Profiles panel, and delete the Chrome Kerberos Configuration profile.

  3. Restart Chrome and open chrome://policy in Chrome to confirm that the new settings are in place.

Group Policy Settings for Single Sign-On

The domain administrator can implement Group Policy settings to make the single sign-on changes on client computers that are joined to the domain.

Note

If you manage the Chrome web browsers on the computers in your domain with Chrome policies, you must add your access URL to the AuthServerWhitelist policy. For more information about setting Chrome policies, go to Policy Settings in Chrome.

To enable single sign-on for Internet Explorer and Chrome using Group Policy settings

  1. Create a new Group Policy object by performing the following steps:

    1. Open the Group Policy Management tool, navigate to your domain and select Group Policy Objects.

    2. From the main menu, choose Action and select New.

    3. In the New GPO dialog box, enter a descriptive name for the Group Policy object, such as SSO Policy, and leave Source Starter GPO set to (none). Click OK.

  2. Add the access URL to the list of approved sites for single sign-on by performing the following steps:

    1. In the Group Policy Management tool, navigate to your domain, select Group Policy Objects, open the context (right-click) menu for your SSO policy, and choose Edit.

    2. In the policy tree, navigate to User Configuration > Preferences > Windows Settings.

    3. In the Windows Settings list, open the context (right-click) menu for Registry and choose New registry item.

    4. In the New Registry Properties dialog box, enter the following settings and choose OK:

      Action

      Update

      Hive

      HKEY_CURRENT_USER

      Path

      Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\awsapps.com\<alias>

      The value for <alias> is derived from your access URL. If your access URL is https://examplecorp.awsapps.com, the alias is examplecorp, and the registry key will be Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\awsapps.com\examplecorp.

      Value name

      https

      Value type

      REG_DWORD

      Value data

      1

  3. To enable active scripting, perform the following steps:

    1. In the Group Policy Management tool, navigate to your domain, select Group Policy Objects, open the context (right-click) menu for your SSO policy, and choose Edit.

    2. In the policy tree, navigate to Computer Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page > Intranet Zone.

    3. In the Intranet Zone list, open the context (right-click) menu for Allow active scripting and choose Edit.

    4. In the Allow active scripting dialog box, enter the following settings and choose OK:

      • Select the Enabled radio button.

      • Under Options set Allow active scripting to Enable.

  4. To enable automatic logon, perform the following steps:

    1. In the Group Policy Management tool, navigate to your domain, select Group Policy Objects, open the context (right-click) menu for your SSO policy, and choose Edit.

    2. In the policy tree, navigate to Computer Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page > Intranet Zone.

    3. In the Intranet Zone list, open the context (right-click) menu for Logon options and choose Edit.

    4. In the Logon options dialog box, enter the following settings and choose OK:

      • Select the Enabled radio button.

      • Under Options set Logon options to Automatic logon only in Intranet zone.

  5. To enable integrated authentication, perform the following steps:

    1. In the Group Policy Management tool, navigate to your domain, select Group Policy Objects, open the context (right-click) menu for your SSO policy, and choose Edit.

    2. In the policy tree, navigate to User Configuration > Preferences > Windows Settings.

    3. In the Windows Settings list, open the context (right-click) menu for Registry and choose New registry item.

    4. In the New Registry Properties dialog box, enter the following settings and choose OK:

      Action

      Update

      Hive

      HKEY_CURRENT_USER

      Path

      Software\Microsoft\Windows\CurrentVersion\Internet Settings

      Value name

      EnableNegotiate

      Value type

      REG_DWORD

      Value data

      1

  6. Close the Group Policy Management Editor window if it is still open.

  7. Assign the new policy to your domain by following these steps:

    1. In the Group Policy Management tree, open the context (right-click) menu for your domain and choose Link an Existing GPO.

    2. In the Group Policy Objects list, select your SSO policy and choose OK.

These changes will take effect after the next Group Policy update on the client, or the next time the user logs in.