SSO, can be achieved in some different ways. It can work over OAuth2, NTLM, Kerberos, SAML and so on. In different projects, I have used Kerberos/NTLM and OAuth2. But real SSO was only with Kerberos. And when you already have LDAP Auth in your application, it will be quite easy to add SSO. But also depends on which OS and which WEB server you have. On Windows much easier to start with IIS while so difficult to find a working module for Apache. On Linux there is also could be a problem to find the latest version of the module which will work with the latest version of apache. But when you will manage to get it worked on web-server side, on Caché side, almost nothing to do left. When you get first unauthorized request, you should return back with status 401, and say which method of authentication you need through header WWW-Authenticate: NTLM. Then if web server managed to get username, it will send it by header REMOTE_USER. Of course, you will not get password, you just use this username and authorize session.