Using SSO with Windows Integrated Authtication (WIA) to pass Windows credentials into SSO.  When using this service with DLP Enforce they are prompted to use windows credentials, then asked to type in credentials again. 

Best practice for SSO is to only use the required authentication types.  When using "User name and password", "Password Protected Transport" and "Windows Integrated Authentication" and/or any other accepted authentication type, then any user attempting to login to Enforce with SSO will be prompted for their credentials twice.

No error message is observed by DLP

If customer is using ADFS for SSO, you may see an event similar to the below in the Windows Event logs

- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
  <Provider Name="AD FS Tracing" Guid="{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}" />
  <EventID>68</EventID>
  <Version>0</Version>
  <Level>3</Level>
  <Task>0</Task>
  <Opcode>0</Opcode>
  <Keywords>0x8000000000002000</Keywords>
  <TimeCreated SystemTime="2019-02-20T19:59:15.572363600Z" />
  <EventRecordID>313</EventRecordID>
  <Correlation ActivityID="{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}" />
  <Execution ProcessID="4980" ThreadID="9912" ProcessorID="2" KernelTime="3" UserTime="11" />
  <Channel>AD FS Tracing/Debug</Channel>
  <Computer>SERVER_NAME</Computer>
  <Security UserID="X-X-X-XX-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXX-XXXXXX" />
  </System>
- <UserData>
- <Event xmlns="http://schemas.microsoft.com/ActiveDirectoryFederationServices/2.0/Events">
  <EventData>The SSO token is not valid. Dropping it...</EventData>
  </Event>
  </UserData>
  </Event>

This can be resolved by updating the SpringSecurityContext.xml file and commenting out everything but WIA.

The default location for the SpringSecurityContext.xml

In DLP 15.1 and above:

In DLP 15.0 and below: