SPNEGO: SSO for SAP Web Applications
SPNEGO is quite cool and simple. You just follow the configuration assistant of your SAP Webserver (http(s)://:/spnego).The only problem I found is that a multi domain model in combination with an Active Directory is not supported by the assistant. What does that mean?
You configure a SPNEGO user for the domain regensburg.bessieundmarkus.de to check users in the Active Directory. If I now want to logon with the user firstname.lastname@example.org everything is all right. But when I want to logon with a user email@example.com the logon fails because the user who checks the credentials looks in the wrong domain tree. Kerberos could handle such requests (thats what happens when you use SSO for SAP Gui) but the configuration assistant does not allow you to configure SPNEGO like this.
Finally I did not test it but it should work, when you manipulate the kerberos configuration file after the assistant finished.