I am going to design an architecture for a municipality. The requirements include a CMS as a portal and a general infrastructure which is mainly for future applications, to share added services such as authentication, authorization, pubsub, logs.
Main requirements:
Authenticate CMS users in an external authentication module
Future applications to re-use this authentication module
Future applications to login with SSO functionality
Authorization with XACML
Added services to have REST API
Offer OAuth services
I am quite frankly confused. I have worked mainly in enterprise environments. But the more I investigate, the more I am getting the feeling these requirements mix enterprise with web stuff. A municipality is not an enterprise.
Initially, things seemed clear to me: Have some authentication provider behind the CMS, and an authorization module. OAuth to be used for REST APIs, users log in through the CMS front end.
Then I started investigating SSO. SSO solutions actually seem to have some kind of interceptor pattern. First you login to SSO and then if authenticated (and authorized) successfully get access to the resource - the CMS (not the other way around as first thought).
But how does OAuth play in here? - Is OAuth capable of offering some kind of SSO functionality? - Could all users and APIs authenticate with OAuth only? - Is OAuth suitable for authenticating single users (login) instead of apps requesting access to APIs? - How do IdentityProviders and OAuth play together?
So most than anything else I am requesting resources I can work through which illuminate me on latest best practices and architectures on how to implement my requirements, putting all concepts (authorization, authentication, SSO, OAuth) together.
