...

IWA / Kerberos requires that client machines have access to a Key Distribution Center (KDC), which in the Windows world generally means Active Directory. For security reasons, AD is generally not reachable outside the local network/corporate intranet, making Kerberos mainly applicable within a company.

Combine Kerberos with other SSO mechanism

It is perfectly fine to combine IWA with other SSO mechanisms such as SAML or OpenID Connect (OIDC). In such a combination, IWA provides hassle-free login experiences when the user is present at his desktop machine on the office, while SAML / OIDC enable the user to log in when they on the run outside the office or when accessing from cellphones or other non-Kerberos compatible devices.

Kerberos for Git

…