I have a React front end with a Spring Boot back end deployed on Azure.
Our company uses Active Directory as does our clients.
Our clients have said that they would like to use single-sign-on with our applications.
i.e. they click log in on our application and it takes them to their company login page
I don't have a good handle on how this flow would work and which parts are the responsibility of which parts of the application.
I'm not sure if it is something like this where it is handled mostly within the application:
- user clicks log in
- web app links to MS auth
- MS auth redirects to correct client company login
- client company AD authenticates and responds with JWT
- web app forwards the jwt to us via a REST API call
- back end connects to our AD and verifies (?) that it is a valid company
- back end responds to the REST request with another JWT containing the user, company, role etc
Or if it is some configuration within AD that skips those last 3 steps.
I'm also not really sure what to store in our Active Directory.
- Do I create a user that represents each client company?
- Or a group of users that relate to that web app?
- Should I store the roles for each user in our AD or should that come from their AD?
- If the role is in their AD, do I tell the client what the role names should be or is there a way of doing some mapping between their roles and ours?
Is there a proper name for this design pattern to help me with searching for examples?
Aucun commentaire:
Enregistrer un commentaire