We are developing an SSO application using IdentityServer4 as the authentication (not authorization) infrastructure for other (client) websites in our company. One of our main concerns is the failure of the SSO website. In this situation, what considerations should we consider to minimize clients issues?
For example, we want to create a local login page in each application and ask each application to authenticate it using the OTP mechanism. Is this enough or are there better solutions?
For security reasons, you should not try to add some local login, it will just make things more complicated, complex and probably less secure.
Because your tokens have certain lifetime (like 1 hour default and if your SSO goes down for a short while, then you clients can continue to operate (unless you query your SSO all the time).
If you want to make it more reliable, then you need to start looking at load-balancers and having multiple instances running of IdentityServer. That can work if you do take care to have the same keys on all the instances.