In a SAML scenario, like IBM Connections Cloud (but not limited to), the customers IDP authenticates the user. If a browser is being used, the user is directed to the IDP server which needs to verify the users identity.
In most cases, this IDP login is offered via Integrated Windows Authentication (IWA, Kerberos). This means that the user does not see the login form but instead is authenticated automatically, given that he before logged into the Windows Domain.
Now when using the Plugin, we can perform a form based login for the user - the login form interaction happens in the background.
If IBM would enable Kerberos for this case, the following values would exist:
1. No need to enter a user ID
2. No need to enter or store a password - and this means also that if a password changes in the IDP, no need to update that
The above would also simplify the deployment of the Plug-In - just install and preconfigure "SAML+IDP", no custom settings for the user are required.
The Sametime Client (embedded or Desktop) has this behaviour / option today