Set up SSO with Windows authentication

To setup Windows Authentication you must set up two separate websites in the web server - one is the SitefinityStsWebApp and the other is the Sitefinity CMS instance that will accept the claims from the STS. You must set the authentication type of SitefinityStsWebApp either to Windows or to Basic.

1. Create a folder where your STS files will be located.
2. Extract the files from SitefinityStsWebApp.zip to the created folder.
   SitefinityStsWebApp.zip contains the SitefinityStsWebApp web application that you can use for the STS site and is located in your Sitefinity CMS account.
   Open the .zip file, open the web application in Visual Studio, and build it.
3. Open Internet Information Services (IIS)
   Depending on which version of IIS you are working with, open the relevant article from Run projects on IIS. Under section Run the project on the IIS, follow Step 1 to Step 12 and in Step 5, browse to select the folder that you created for the STS.
4. In IIS Manager, select the STS site.
5. In section IIS on the right, double-click Authentication.
6. Choose one of the following authentication types and set it in IIS:
   • If all computers that are used to authenticate in Sitefinity CMS are part of the domain, enable Windows Authentication and disable all others.
   • If there are computers that are not part of the domain and that are used for authentication, enable Basic Authentication and disable all others. You could turn https on for this site to protect the transferred credentials.
7. Open the web.config file of the STS.
8. Perform the following web.config transformations:
9. Save and close the web.config file of the STS.

1. Login to the backend of your website.
2. In your corporate active directory, give backend access and administration right to the users and groups you will use with windows authentication. 
   For more information, see Administration: Configure LDAP settings.

   NOTE: If you do not want to use your corporate active directory, you must create a user in the default provider with the same username as the login name for your windows account. 
   The user must have backend access and administration right.
   For more information, see Administration: Create and delete users.

3. In the main menu, click Administration » Settings » Advanced » Security » SecurityTokenIssuers.
   There is a security token issuer, created by default. Click it and copy and save its Key.
4. In the treeview on the left, click RelyingParties.
   There is a relying party, created by default. Click it and copy and save its Key.
5. In the treeview on the left, click SecurityTokenIssuers » Create new.       
   1. In Realm, enter the address of the STS site and add at the end of the address /mysts.ashx, which is the path to the handler.
      The entry looks like <STS address>/mysts.ashx.
   2. In Key, create a key, or use the key copied in Step 3.
   3. Set Encoding to Hexadecimal.
   4. In MembershipProvider, enter LdapUsers.          

      NOTE: If you do not want to use your corporate active directory, enter Default.

   5. Click Save changes.
6. Open the web.config file of the STS site.
   The file is located in the folder you created in Step 1 of the above procedure.
7. Under <appSettings>, add the following <add key="(the address of your Sitefinity CMS website)" value="(the key you created in Step 5b)"/>.
8. Save and close the web.config.
9. Open the web.config file of your Sitefinity CMS website.
10. Under <system.identityModel>, find wsFederation, set its issuer to the address of the STS site, and add at the end of the address /mysts.ashx.
11. Perform the following web.config transformations:
12. Save and close the web.config file.
13. Repeat the procedure for as many Sitefinity CMS websites as you need.