The following image shows the basic steps for Back-side Kerberos SSO, where the authenticated users are propagated to the back-end server.

Diagram - Back-side Kerberos SSO
  1. The user requests access to the back-end web application.
  2. Airlock IAM authenticates the user and informs Airlock Gateway to propagate user's identity using back-side Kerberos SSO.
  3. Airlock Gateway requests a Kerberos ticket from the Active Directory domain controller on behalf of the user with his technical system user.
  4. Airlock Gateway sends the HTTP request to the back-end server and appends the user’s Kerberos ticket.