Some years ago I was evaluating some alternatives for integrating Windows authentication into Plone. The context is a Windows network with Active Directory. The goal was to make the browser pass some credential or auth token to Plone (or the front-end Apache server), so that the user would not need to authenticate again in Plone.
The best thing I could go for was plone.app.ldap and making the user insert their credentials into Plone after inserting their credentials to log on to Windows.
Some time ago I worked in a project that integrated Windows into Apache authentication using NTLM.
Is there a current recommended solution for this use case?
We haven't set it up with domain auth yet but I believe ADFS is becoming more popular. You can use dm.zope.saml2 to connect with that. There is also collective.saml2 which makes it a bit easier to install.
To make 100 transparent I guess you could put in some automatic redirect to the login page if you are unauthenticated. That would kick off a saml2 auth request and redirect the browser to ADFS. AFDS would then authenticate with the domain controller and redirect back with a saml2 auth response. Then you'd be logged into plone.