My company has implemented SSO with ForgeRock. We have integrated two applications(say app1 and app2) login with it and number of application is going to grow. Queries on expected working :
Login Behaviour:
So now instead of asking for login credentials again for app2, he should land directly into app2's home page. Right? But for that too happen how hitting of app2 will pass info back to app2 that which user has logged into app1? Is it through browser's cookie reading or logged on user of that system/computer? If yes the how we read logged on user and what if application is exposed externally to internet users? Internet users can access it? In this case reading logged on user might not make sense and some of our applications are exposed to internet.
Logout behaviour:
If user is done with his work on app1 and clicks logout but is in mid of his work in app2 (say, form submission or any multi-step activities) logging him out of app2 as well won't be fair to him as he might loose what he has done till now. But is that how it's expected to work?
Logging out of an user from one app should log him out of all applications integrated with same SSO? If so that would mean just don't invalidate session at application-side also send request to SSO server for logout. But that would also mean that all applications need to check for each request that if the user has been logged out? That's too demanding I think. For each request that comes to my application of already logged in user also I need to check if he has been logged out of SSO or not? Is it how it's supposed to work?
After lots of research finally I figured out:
Login Behaviour:
Right ! If a user is logged in app1 and then hits url of app2 in another tab/window of same browser(non-private mode), then he should already be logged in app2. No separate logon should be required for app2.
How app2 knows which user to login?
This done by cookie reading by all apps integrated with SSO. SSO implementation will set cookie in the user's browser window for specific domain which will be available to apps. This cookie will tell apps which user has logged in. And now apps know who is that authenticated user and apps can do their specific things like check authorization and other usual stuff. But if user uses different browser say for app1 chrome and for app2 firefox then as cookies cann't be shared in this case for app2 again user has to go through authentication process. This behaviour will remain same whether apps are exposed to internet or not.
Logout behaviour:
There are different flavors one can choose. There's no hard-fast rule. If you want logout from one app should also imply logging out from all other apps then yes it can be done. One way would be to pass the "token" set by SSO implementation in the browser cookie in all the request. If valid token is received at app-side then fulfill that request else log him out.
Also if you are fine with other apps working while one app has been logged out then you don't need to pass token in each request and logout should only be done at app level. No need to request SSO for logout.