I am updating a custom portal application that provides centralized authentication for a number of applications. I want to improve the portal to support both SAML and OAuth2 while providing the user with a good user experience.
In SAML talk I have (but it doesn't currently use SAML):
/--------\
| Portal |
| IdP |
\--------/
|
|-------------\
v v
/------\ /------\
| App1 | | App2 |
| SP | | SP |
\------/ \------/
All requests for App1 and App2 get directed to the portal to authentication. Once they are authenticated they are sent to the landing page of the portal. That's right - the portal. Not the application.
I am looking at changing the above to:
/--------\
| OpenAM |
| IdP |
\--------/
|
|-------------\---------------\
v v v
/------\ /------\ /------\
|Portal| | App1 | | App2 |
| SP | | SP | | SP |
\------/ \------/ \------/
The goal being that I want to decouple the portal from authentication. I want to use OpenAM for that and turn the Portal to a SP instead of an IdP. I am also looking at doing SP initiated SSO that will direct the user back to the SP once authentication is completed.
So that is my plan. :D
My question is - if the user clicks a link on the Portal (SP) to App1 or App2 (also an SP) then can I direct them there without requiring them to login again? I've only ever been exposed to the SP end of SSO before and the IdP end is new to me. Can this be done with (hopefully) both SAML and OAuth2? And if so do you have any advice for pulling this off?
Note: The user is logged in to the IdP for Portal access in the above scenario.
Thanks!
So, as I understand the question is: If the user is already authebticated on the IDP fro first accessing the portal, will he have to authenticate again when going to the app1 or app2. Awnser is no. This is the thought behind SSO. You sign in once when accessing the first SP and after that you can access all SPs without authenticating again. Generally this is kept track of using cookies on the user browser.