In our company, we have several rich Java applications that are used both by internal users and external users. We would like to start migrating these systems to support a single sign mechanism and potentially allow our external clients to use their own authentication mechanisms to validate their users.
For example, if we have a client that has a large number of users, and they would like their users to register only with information about their company, we would like to support this behavior.
We examined the use of certificate-based authentication systems (one of the most common is Kerberos) and the use of this authentication mechanism, which allows using external authentication services in our system.
Is this doable? Are there specific implementation details that we need to know about? I'm not interested in specific technologies (although suggestions are certainly welcome), more about key concepts and ensuring that we do the right thing when possible.
How about authorization, i.e. access to various services. Is there a standard or best practice for how this is handled when working with potentially disabled authentication services?
As an additional note, our front-end systems are created in Java, therefore, certain information related to the implementation of this behavior in the Java structure is certainly appreciated (that is, libraries that are useful, potential traps specific to Java, etc.).
source share