In organizations that use Microsoft Active Directory to manage corporate identities and to govern access to corporate assets, the use of Integrated Windows Authentication (IWA) can provide high levels of access security and great usability for corporate web applications.

When using this approach, Web Browser performs Single Sign-On SSO to web applications that support this delegated authentication method. The user identity gets transferred from the Operating System of the user's workstation to the application server. The end-user experience is very transparent, as the application gets launched with the user's identity already "signed-in" to the working session.

Use of Kerberos Constrained Delegation (KCD) allows gaining the same benefits for users that are using any kind of an endpoint device (and not just a machine that is a part of corporate Active Directory Domain) and authenticates via means, other than the operating system of the machine. Using this functionality a user that is coming from a mobile device or a machine that is not a part of the domain can still assume his/her identity and get automatically signed into corporate web applications.

The below diagram shows how this effect is achieved. Luminate Connector, deployed at the customer's premises issues Kerberos Tickets on behalf of the logged-in user (the identity of the user was verified by Luminate working with Federated Identity Provider) and provides them to the corporate web application.

 

Kerberos_Constrained_Delegation_with_Luminate.jpg

Attached document describes the steps that need to be taken by the Active Directory Administrator and Luminate Administrator in order to enable this functionality.