Premise: I have an infrastructure where we have a custom RP-STS implemented with Windows Identity Foundation, providing SSO for a few websites. This STS communicates with the sites via WSFederation. This custom STS is about to be deprecated because the organization is adding an Open ID Connect Idp into the infrastructure.
The websites themselves (Episerver) contain all the custom made authorization logic already based on the claims the STS provides, and if we were to simply toss the STS we'd have to replace all of this logic.
Question: What is the browser redirect flow to integrate our RP-STS to the openId connect provider in such a way that the end user browser gets a session for both our RP STS and the Open Id Connect IdP?
Personal thinking on how it might be doable (based on massive assumptions on how openid connect works), skip this if you know how to answer:
- Website sends HTTP post to RP-STS containing username/password
- RP STS responds to browser with redirect to OpenId Connect Idp (Redirect contains username / password, and a replyto address is set to the RP STS)
- OpenId Connect Idp creates a local session (???) and responds with a redirect to RP STS, redirect contains auth_token. (I'm unsure of the parts that go into an openid connect login flow)
- RP STS receives user token and gets / asks for user data, builds claims and builds local session
- RP STS sends claims in SAML token via WSFed to RP site
Am I even close?
Further clarification:
- I do not want to remove the existing STS, but abstract the new infrastructure change behind it so that from the end-user-sites perspective, identity objects and authorization logic will remain unchanged.
- I need help specifically in seeing if the login/logout flow is doable between the STS and the Open ID Connect IDP
