When a web application is secured by the DualShield IIS Agent with MFA, the agent adds an extra layer of authentication process over the web application's own form-based authentication. Without Single-Sign-On or Auto Logon, users will be firstly authenticated by the DualShield SSO, then by the web application's original login process which is usually the user's AD credential verification.
You have 2 options:
Configure DualShield SSO to verify the 2nd factor only, e.g. one-time-password etc, and keep the application's original login process which will verify the user's AD credentials. In this option. you do not need to enable Single Sign-On or Auto Logon.
Configure DualShield SSO to verify both the 2nd factor and the 1st factor. In this option. you will need to enable Single Sign-On or Auto Logon.
From the security point of view, both options have no difference.
From the user experience point of view. option 2 will deliver a more coherent user experience.
Between Single Sign-On and Auto Logon options, Single Sign-On is preferred as it is easier to set up and quicker in performance. However, some IIS web servers have such restrictions that it is not possible to enable Single Sign-On.
Single Sign-On
Click the "Advanced Logon Settings" button
To enable Single Sign-On, tick the option "Enable Single Sign-On" in the General tab
Click the "Single Sign-On" tab
Set following options accordingly
Option
Remarks
Enable Desktop SSO
If the web application is to be accessed by users from domain joined desktops or laptops, you can enable SSO from the desktop logon to web logon
Application URL
When OWA is enabled with MFA, the ECP web UI is automatically enabled with MFA too, as ECP uses OWA as its logon process.
If you use ECP web UI, then you must change the Application URL to: $RelayState.url
Logon Name Format
Select the appropriate login name format that your application server accepts.
Click "OK" to save the settings
Auto Logon
In order to implement Auto Logon, you have to disable compression on the OWA application node
Select the "owa" node in the navigation panel
Click the "Compression" icon in the Features View panel
Make sure that both compression options are disabled, then click the "Apply" button to save changes
Now, select the "owa" node in the navigation panel again
Double click "DuaLShield Authentication" icon in the Features View" to lanch the control panel of the DualShield IIS Agent
Click the "Advanced Logon Settings" button
To enable Auto Logon, tick the option "Enable Auto Logon" in the General tab
Then, click the "Auto Logon" tab
If the web application is one of the pre-configured server types such as OWA, then usually there is no need for any further configuration in this tab apart from ticking the "Auto Submit" option