Desktop single sign-on authentication

Enterprise Application Access (EAA) identity service supports Kerberos-based Integrated Windows Authentication (IWA) to provide a seamless desktop single sign-on (SSO) experience for on-net end-users to Akamai identity provider (IdP) for accessing applications. When users log in to their domain-joined machine with their network credentials, they can automatically authenticate to the Akamai IdP and access applications through the EAA Cloud service without entering their username and password again.

To support desktop SSO, the IdP endpoint responds to authentication requests with Kerberos authentication challenges. The browser on the end user’s desktop is configured to trust the IdP service for desktop SSO and respond to the Kerberos challenges using the user credentials cached during desktop logon. Then the end user accesses the application.

When using IWA for your IdP, if you have set application-facing authentication mechanism as Kerberos for your EAA applications, you will need to configure Kerberos constrained delegation. See Kerberos-constrained delegation.

When using IWA for your IdP, if you have set application-facing authentication mechanism as NTLM for your EAA applications or auto-login for RDP applications, the user will be prompted for password once for each user login session.