Support for native (local desktop) OS logins requires a domain configuration that supports specific options. Specifically, the domain configuration must have:

  • A domain type of "_oslocal". This is the authentication provider.
  • "exchange" listed as one of the supported actions, and marked as enabled
  • "-processid" option listed in the action options for "exchange"

These required settings are shown in bold in the following example.

If any of these are missing from the domain configuration, then token exchange for native OS logins will be rejected. Below is an example domain configuration supporting authentication for OS local logins.

{
    "version": "1.0.0",
    "domains": [
        {
        "name" : "local",
        "enabled" : true,
        "description" : "Domain supporting OS local logins",
        "actions" : {
            "authenticate" : {
                "enabled" : true,
                "options" : ""
            },
            "exchange" : {
                "enabled" : true,
                "options" : "-processid"
            },
            "sso" : {
                "enabled" : false,
                "options" : ""
            },
            "refresh" : {
                "enabled" : false,
                "options" : ""
            }
       },
       "options" : "",
       "authProvider" : "_oslocal",
       "policyProvider" : "",
       "events" : {
            "provider" : "",
            "groups" : {
                "client" : false,
                "tokenAuthenticate" : false,
                "tokenExchange" : false,
                "tokenRevoke" : false,
                "tokenValidate" : false,
                "tokenRefresh" : false,
                "policy" : false,
                "sessionLogin" : false,
                "sessionLogout" : false,
                "sessionValidate" : false,
                "sessionRefresh" : false
            }
       }
    }],
    "policyProviders" : {
             },
    "eventProviders" : {
    }
}