0

Is it possible to SSO using OIDC across different providers (Google, AWS)? One Client (web application) is using OIDC/Google and another is using OIDC/AWS. The goal is to AuthN only once, and traverse both sites without having login again. the web application bound to OIDC/AWS is authoritative and SoR for managing the accounts.

Is this possible, what are my options? possible to federate between both service providers? Thank you!

If there are any systems interaction diagrams that could help visualize the flow that would be great to point out.

I've looked into all docs provided by OIDC, Google and AWS but could not find any helpful insights or instructions on how to federate between different providers.

BTW This article did not make sense https://cloud.google.com/iap/docs/enable-external-identities

Tam S
  • 1
  • 2

1 Answers1

0

Single sign on has a precondition on using the same authentication for both apps. This identity provider sets an SSO cookie that can be used to prevent the second login.

Usually, when using OAuth and OpenID Connect, your apps interact with an authorization server by running a code flow. The authorization server can be configured to run a second code flow, so that authentication occurs at an external identity provider.

In your case this would enable you to change behaviour one of the apps, to do a federated login. It has a prerequisite of using a system that supports the authorization server role though. Not all cloud providers support this.

Gary Archer
  • 22,534
  • 2
  • 12
  • 24
  • Gary, Thank you very much for your time! < The authorization server can be configured to run a second code flow, so that authentication occurs at an external identity provider.> So this would be the solution provided that Google and/or AWS can support a second code flow? are there any interaction diagrams that you know of that you can share that would show the authorization server role flow – Tam S May 03 '23 at 21:16
  • It's a difficult topic to find good links on actually. My [blog post](https://authguidance.com/federated-logins/) provides an overview of the main behaviours. Essentially you just configure an authentication method, and no code changes should be needed to apps in order to use an upstream IDP.. – Gary Archer May 04 '23 at 06:37
  • This is great Gary! Thanks again for your time and expertise on this topic. really appreciate it! – Tam S May 04 '23 at 20:41