If you are using Kerberos for single sign-on SSO and want to be able to make http requests impersonating the end user to third party systems you can do this using the HttpClient that is part of the Apache HttpComponents project.
In this article I’ll give you an introduction to SAML Web Browser Single Sign On Profile using POST and how to configure it in Tomcat.
In this recipe you will see how to configure authentication cross forest and how you might implement cross forest authorization.
So what is SPNEGO? SPNEGO stands for Simple and Protected GSSAPI Negotiation Mechanism (SPNEGO). It is a mechanism by which an authenticating body negotiates with the authenticator what security protocol to use, for example Kerberos, NTLM, Digest or Basic