Configure your browser to authenticate using the "system logon credentials" (Kerberos authentication mechanism):

Mozilla Firefox - Windows

To access the advanced Firefox settings, enter about:config into the Address bar and press [Enter]. This will bring up a long list of customizable preferences for the current installation of the browser.

You need set the FQDN (fully qualified domain name) of the IdP Server to the trusted URIs:

network.negotiate-auth.trusted-uris - FQDN of the IdP Server.

In the "Login page" can you find the right FQDN:

Shibboleth 2 > Single sign-on Browser configuration > FQDN_Idp.png

Example of configuration when Firefox is running under the Windows platform:

Shibboleth 2 > Single sign-on Browser configuration > firefox_sso_cfg.JPG

Mozilla Firefox - Linux

To access the advanced Firefox settings, enter about:config into the Address bar and press [Enter]. This will bring up a long list of customizable preferences for the current installation of the browser.

You need configure:

network.negotiate-auth.trusted-uris - FQDN of the IdP Server.
network.negotiate-auth.gsslib (default:empty) - Specifies a alternate GSSAPI shared library

Shibboleth 2 > Single sign-on Browser configuration > firefox_sso_cfg_unix.JPG

Other settings concerning negotiate/authentication:

network.negotiate-auth.delegation-uris (default: empty) - For which FQDN credential delegation will be allowed (trusted).
network.negotiate-auth.allow-proxies (default: true) - Enables proxy authentication using the negotiate method.
network.negotiate-auth.gsslib - you can use kerberos in other plattforms if you specify the "gss library".
network.negotiate-auth.using-native-gsslib - Use the default GSSAPI library.
network.auth.use-sspi (only on Windows, default: true) - Whether to use Microsoft's SSPI library, if disabled use GSSAPI

For "advanced" Firefox-users: To start the firefox with more debug information, you can use a script like this:

#!/bin/bash
export NSPR_LOG_MODULES=negotiateauth:5
export NSPR_LOG_FILE=/var/log/firefox.log
firefox

Internet Explorer

The browser must be configured to enable single sign-on (SSO) support. SSO only works on intranet and using trusted URL's.

First, open the Internet Options from the Tools menu

Select the Security tab, select the Local intranet and press the Sites button.

Shibboleth 2 > Single sign-on Browser configuration > ie1.JPG

We need to add the FQDN of the IdP Server to the trusted list.
Press the Advanced button.
This opens a dialog where the FQDN of IdP Server can be added

Shibboleth 2 > Single sign-on Browser configuration > ie_sso_cfg.JPG

In the "Login page" can you find the right FQDN. Wildcards are also supported e.g. *.host_b.com:

Shibboleth 2 > Single sign-on Browser configuration > FQDN_Idp.png

configure the automatic authentication handling in the browser. Go back to the Security tab and select the

Custom Level.

Scroll down to the bottom in the settings and make sure that Logon is set to Automatic only in intranet zone.

If the browse is the Internet Explorer version 6 or later we must manually enable the SPNEGO SSO.
Select the Advanced tab, scroll down to the Security section.

Shibboleth 2 > Single sign-on Browser configuration > ie5.JPG

Now the browser should be setup correctly.

Chrome

To config chrome you need to start the application the following parameter:

auth-server-whitelist - Allowed FQDN - Set the FQDN of the IdP Server. Example:

chrome --auth-server-whitelist="*aai-logon.domain-a.com"

In the "Login page" can you find the right FQDN:

Shibboleth 2 > Single sign-on Browser configuration > FQDN_Idp.png

Safari

No additional configuration is needed

Opera

Opera does not currently support Kerberos authentication.