Thank you for posting your query on Microsoft Q&A. From above description I am assuming you are looking for Azure AD application proxy Kerberos delegation to SSO onprim application.
Please do help me by responding in the comments if my understanding is not correct.
You may follow: Kerberos Constrained Delegation for single sign-on (SSO) to your apps with Application Proxy for configuration. Once done the SSO flow would look like below:
- The user enters the URL to access the on premises application through Application Proxy.
- Application Proxy redirects the request to Azure AD authentication services to preauthenticate. At this point, Azure AD applies any applicable authentication and authorization policies, such as multifactor authentication. If the user is validated, Azure AD creates a token and sends it to the user.
- The user passes the token to Application Proxy.
- Application Proxy validates the token and retrieves the User Principal Name (UPN) from it, and then the Connector pulls the UPN, and the Service Principal Name (SPN) through a dually authenticated secure channel.
- The Connector performs Kerberos Constrained Delegation (KCD) negotiation with the on premises AD, impersonating the user to get a Kerberos token to the application.
- Active Directory sends the Kerberos token for the application to the Connector.
- The Connector sends the original request to the application server, using the Kerberos token it received from AD.
- The application sends the response to the Connector, which is then returned to the Application Proxy service and finally to the user.
Please do let me know if you have any queries.
Thanks
Akshay Kaushik
Please "Accept the answer" (Yes), and share your feedback if the suggestion answers you’re your query. This will help us and others in the community as well.