I'm planning to use simplesamlphp as an IdP. I've reasonable amount of user database who "can" share 5 different applications.
Currently, user have to go on each application and put username and password which is surely not what I desired. The solution is to keep separate authentication server and use SSO to serve 5 different applications (as service provider).
Although, the application can share same user database but the services are completely different and they heavily rely on user roles. Let's take an example of two applications: SP1 and SP2
SP1 is in and laravel and heavily role based system. At any point of time, one user can have 5-6 roles depending on which the application functions / provides information.
SP2 is completely different it could be just a blog site in drupal where we want to collect the user data that's it. We will have a minimal role requirements here.
When user comes on SP1 and tries to get restricted page then, they will redirect to IdP which can authenticates user. If user does not exist in IdP, it will return false; otherwise returns back to SP1 with some relevant attributes. Let's assume, for SP1 this is a newest user, we've an option to save that user in SP1 database (in fact we should bind that user with SP1 specific role) but then, we're storing user in two places: IdP and SP1.
...And the same goes for SP2. In this case we are storing user in total 3 places: IdP, SP1 and SP2. The only benefit we got is, user didn't have to enter username and password to SP2 it automatically handled by our IdP.
Questions
- Do I need to store user in both SP1 and SP2? If not, then how can I handle all role specific functionalities.
- If not, then how do I initialize the user session and assign SP specific roles? based on SAML attributes?
