CONTACT USBack to MinistryPlatform Site
Your Knowledge Base is moving on 3/25/24! Our new Help Center provides all the articles you know and love (plus so much more) in a one-stop shop. Ask your SPoC for details!

Windows Authentication

 
Configuring the Windows Authentication external login will allow your Users to log into their account, but they will not be able to create a new account via this external login.

In order to provide External Authentication, you must create and properly configure an Identity Provider.

A. Create Identity Provider record

In MinistryPlatform:

  1. Navigate to Administration > Identity Providers
  2. Create a New record
  3. Enter a Display Name such as "Windows"
  4. Select the "WS-Passive Federation" Provider Type
  5. Enter "Not Used" as the Client ID (this field cannot be blank)
  6. Enter your base URL /iwa/ as the Metadata Address. 
  7. Save
  8. Copy the newly generated Identity Provider Unique ID which will be used in a later step (all lowercase characters must be replaced with uppercase)

1) External Login Callback URL

This callback url is created by taking the guid from the Identity Provider and adding it to the base callback url.

The [IdentityProviderUniqueID] must be replaced with the ALL UPPERCASE GUID from your Identity Provider record. Be sure to replace "{your platform domain}" in the following code with your church's base MP URL.

https://{your platform domain}/ministryplatformapi/oauth/callback/[IdentityProviderUniqueID]

You will use this in A.2 below.

2) Identity Provider Settings

Below is a chunk of JSON code that needs to be updated and entered in the settings. It incorporates the External Login Callback URL from the previous step.

  1. Copy the string below and paste into Settings
  2. Replace the url with the one from the previous step (A.1)
{ "RedirectUri": "https://[Domain]/ministryplatformapi/oauth/callback/[IdentityProviderUniqueID]", "Wtrealm":"urn:WindowsAuthenticationService" }

B. Configure IIS

1) Add IWA Application
  1. Launch IIS Manager
  2. Expand Server node
  3. Expand Site node
  4. Locate an application titled "iwa" or, if needed, right-click MinistryPlatform site and choose "Add Application". Enter "iwa" as the Application's Alias. Browse to select the Physical Path found under W:\Sites\[MinistryPlatform Site]\IWA
  5. Select iwa Application 
  6. Launch Authentication (from icon) to enable only "Anonymous Authentication" and "Windows Authentication"

Note: The Application Pool may need to be restarted for new Identity Providers to be configurable for Users. If Setup Admin is set to True on your User record, you will have a Restart Auth App button on your User Profile. Clicking that button will make the external authentication option available. 

More information about enabling Windows Authentication for a Web Application can be found here: https://docs.microsoft.com/en-us/iis/configuration/system.webserver/security/authentication/windowsauthentication/

C. Test by Logging into the Platform

Once complete, a button for Windows Authentication will appear on your Login page. Before testing, configure the Social Login for your User in the User Account dialog. 

To remove a previously configured Identity Provider, delete the Identity Provider record. Note: It will take overnight (or a manual refresh of the IIS Application Pool) for the button to be removed from your Login page.