Windows Hello for Business (WHfB) is an Authentication workflow that makes sure the user is on a registered device that is in an acceptable state, logged using 2FA and biometric data.
The exact login workflows are detailed here: WHfB authentication flow
So, the end result of a WHfB login sequence has to be a logged-in user on the device.
The question is, how does Ivy know which username this user has?
Or, what does Axon Ivy need to accept a User authenticated by a third party?
This is pretty straightforward: If IIS (or any other reverse proxy) sends a HTTP Header named X-Forwarded-User, we use that username and authorize the user against our user directory.
In the standard setup, we get this username from the IIS variable LOGON_USER, which is put into the header by a third party add-on called Helicontech ISAPI_Rewrite_3 (we use the free lite version for this).
So, as long as your login process allows IIS to send us the user name in the HTTP Header, we'll take the username to authorize the user. This is why we request that direct access to the engine be strictly controlled if you use SSO.
I assume that WHFB uses some sort of OIDC workflow as it is used in Entra ID. So, you need to implement the part of the IIS configuration that allows IIS to manage OIDC
You can change the name of the HTTP Header in ivy.yaml if needed:
# == Single Sign-on ==
#
# Single Sign-on allows to auto login users. A reverse proxy has to be installed
# in front of the Axon Ivy Engine. It is responsible for authenticating
# the user. The name of the user must then be transmitted as a HTTP header.
# !! Assert exclusive access to the Axon Ivy Engine otherwise
# attackers can easily login as another user.
# https://developer.axonivy.com/doc/10.0/engine-guide/integration/single-sign-on
# [restart required]
SSO:
# Shall SSO be enabled?
Enabled: false
# name of the HTTP header with the username that has to be provided by the reverse proxy
UserHeader: X-Forwarded-User
Hope this helps.