EPM System products support Kerberos SSO if the application server that hosts EPM System products is set up for Kerberos authentication.
Kerberos is a trusted authentication service, where each Kerberos client trusts the identities of other Kerberos clients (users, network services, and so on) to be valid.
The following steps list what happens when a user accesses an EPM System product:
From a Windows computer, the user logs in to a Kerberos realm.
Using a browser that is configured to use Integrated Windows Authentication, the user tries to log into EPM System products running on the application server.
The application server (Negotiate Identity Asserter) intercepts the request and gets the Simple and Protected Generic Security Services API (GSSAPI) Negotiation Mechanism (SPNEGO) token with the Kerberos ticket from the browser's authorization header.
The asserter validates the user's identity included in the token against its identity store to pass information about the user to EPM System product. The EPM System product validates the user name against an Active Directory. The EPM System product issues an SSO token that supports SSO across all EPM System products.