Federation using OAuth as protocol and OpenAM as SP

Question

I was wondering if it possible to make OpenID Connection federation with OpenAM. I didn't find anything in this subject and it appears to me that OpenAM allow Federation only for SAML,Liberty ID-FF, and WS-Federation.

So is it possible to make OpenID Connect federation with OpenAM as we can make it in WSO2? If so, how?

Here's an image that illustrates my needs. You can see bellow an architecture of two companies where each one have it's own IdP and some SP. In red, you will see the communication that I want to make:

1. Client of company 1 try to access the SP Supply of company 2
2. Supply check if he has session and if not (which is the case) redirect him to idp of the company2
3. IdP of company 1 federate the authentication to IdP of company 2
4. The authentication is been made between the IdP 1 and the client
5. A token is given to IdP 2 proving a successfull authentication. The IdP2 create then a Session for the client
6. The same thing occurs between IdP2 and Supply
7. the ressouce asked is finally returned to the client

Thank you for your responses

Answer 1

Let me first clarify what I was trying to do: Double Federation (Federation between SP and IDP2, Federation between IDP2 and IDP1). This remains a rare case where you want your clients to have sessions in both IDP and you want to abstract the complexity of the SSO for your service providers.

Because it's a rare case and not covered by the protocol, OpenAM haven't implement this functionality yet. You will be obliged to add complexity to supply (SP) so it will have two client id (one for each IDP) and the client will need to choose his IDP or inject the client id in the urls of the SP.

Some considerations:

When using the double federation, you need to make sure that your clients of the entreprise 1 won't access service providers that should be private for the entreprise 2.