...
Any client traffic for Squirro is routed via the security appliance (e.g. SiteMinder or Microsoft IIS/ARR or other webservers like Apache or Nginx with LDAP integration). This appliance detects the browsers SSO information (kerberos token or client certificate) and validates/authenticates the user automatically using the Directory Service. If the user cannot be authenticated, then the user cannot access Squirro.
If access is granted, the clients traffic is forwarded to the Squirro cluster, and the current users information is added to the HTTP/S request headers (a unique user id, optionally account name, email, common name, etc.) In some scenarios all data is added, in others only a session id is added which then allows the external authentication service (see step 6) to retrieve more data about the user.
...