SSO authentication & authorization architecture/implemenation
We got a bunch of different services (SPAs + API GW, legacy JavaEE apps, etc.). Each of those is usually ran in multiple instances (customer specific instances). The plan is to federate them under a single-sign on.
We also need to be able to authorize a single user to different set of roles in those applications - RBAC.
Eg.
- user A can access only invoicing module of app X, is a regular user in instance Y of app Z and is an admin in app Q.
So we need to manage a set of groups (roles) to every user.
In order to keep the users manageable, the users/group storage should be central (a LDAP?). The roles in each application are specific, so it could be managed within each app.
What is the suggested architecture?
LDAP synced with a central Identity Provider?
Technology OpenID/JWT tokens? SAML claims?
So far we have experimented with a few OpenID providers. These seem to treat the authorization part (groups/roles) as a second class citizen a bit.
