In order to enable federated Single Sign On with IAM Cloud, a small configuration change needs to be made to a group policy to allow the password handshake to happen with IAM Cloud without an NTLM box appearing. The following outlines the method of achieving this using AD Group Policy to add the *.federate365.com, *.iamcloud.net and *.iamcloud.com URLs into the local intranet zone on each workstation.
In Windows 2012 Group Policy settings for Internet Explorer have been moved to Adminstrative Templates. The Internet Explorer 10 ADMT is already installed.
From GPMC on 2012:
User Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page
Edit the Site to Zone Assignment List.
Add *.federate365.com, *.iamcloud.net and *.iamcloud.com each with a value of 1.
Click OK and apply the GP to users.
If any of these also appear in trusted sites (a value of 2) then you will need to remove them for SSO to work.