Windows Authentication


In order to provide External Authentication, you must create and properly configure an Identity Provider.

A. Create Identity Provider record

In MinistryPlatform:

  1. Navigate to Administration > Identity Providers
  2. Create a New record
  3. Enter a Display Name such as "Windows"
  4. Select the "WS-Passive Federation" Provider Type
  5. Enter "Not Used" as the Client ID (this field cannot be blank)
  6. Enter your base URL /iwa/ as the Metadata Address. 
  7. Save
  8. Copy the newly generated Identity Provider Unique ID which will be used in a later step (all lowercase characters must be replaced with uppercase)

1) External Login Callback URL

This callback url is created by taking the guid from the Identity Provider and adding it to the base callback url.

The [IdentityProviderUniqueID] must be replaced with the ALL UPPERCASE GUID from your Identity Provider record. [Domain] must be replaced with your church's base URL (for example,


You will use this in A.2 below.

2) Identity Provider Settings

Below is a chunk of JSON code that needs to be updated and entered in the settings. It incorporates the External Login Callback URL from the previous step.

  1. Copy the string below and paste into Settings
  2. Replace the url with the one from the previous step (A.1)
{ "RedirectUri": "https://[Domain]/ministryplatformapi/oauth/callback/[IdentityProviderUniqueID]", "Wtrealm":"urn:WindowsAuthenticationService" }

B. Configure IIS

1) Add IWA Application
  1. Launch IIS Manager
  2. Expand Server node
  3. Expand Site node
  4. Locate an application titled "iwa" or, if needed, right-click MinistryPlatform site and choose "Add Application". Enter "iwa" as the Application's Alias. Browse to select the Physical Path found under W:\Sites\[MinistryPlatform Site]\IWA
  5. Select iwa Application 
  6. Launch Authentication (from icon) to enable only "Anonymous Authentication" and "Windows Authentication"

Note: The Application Pool may need to be restarted for new Identity Providers to be configurable for Users. 

More information about enabling Windows Authentication for a Web Application can be found here:

C. Test by Logging into the Platform

Once complete, a button for Windows Authentication will appear on your Login page. Before testing, configure the Social Login for your User in the User Account dialog. 

To remove a previously configured Identity Provider, delete the Identity Provider record. Note: It will take overnight (or a manual refresh of the IIS Application Pool) for the button to be removed from your Login page.