The Unified Access Gateway identity bridging feature can be configured to provide single sign-on (SSO) to legacy Web applications that use Kerberos Constrained Delegation (KCD) or header-based authentication.

Unified Access Gateway in identity bridging mode acts as the service provider that passes user authentication to the configured legacy applications. Workspace ONE Access acts as an identity provider and provides SSO into SAML applications. When users access legacy applications that require KCD or header-based authentication, Workspace ONE Access authenticates the user. A SAML assertion with the user's information is sent to the Unified Access Gateway. Unified Access Gateway uses this authentication to allow users to access the application.
Note: Horizon Connection Server, does not work with an enabled web reverse proxy when there is an overlap in the proxy pattern. Therefore, if both Horizon and a web reverse proxy instance are configured and enabled with proxy patterns on the same Unified Access Gateway instance, remove the proxy pattern '/' from Horizon settings and retain the pattern in the web reverse proxy to prevent the overlap. Retaining the '/' proxy pattern in the web reverse proxy instance ensures that when a user clicks the URL of Unified Access Gateway, the correct web reverse proxy page is displayed. If only Horizon settings are configured, the above change is not required.
Figure 1. Unified Access Gateway Identity Bridging Mode
UAG deployed in Identity Bridging mode to provide secure access to legacy applications by converting modern SAML Auth to Kerberos format.