@joshua thanks for replying
Here are some answers to your questions:
I am a bit confused by your use case. What is the primary purpose of FusionAuth in this instance?
We want to use FusionAuth (FA) to authorize users to FA protected OIDC apps after we login to our current SSO, which uses forms auth.
We thought calling the FA /API/login API was the same thing? And that after we logged in there, we were authorized for FA protected apps the logged in user was registered to.
But it looks like FA /API/login API is just authentication, so I guess we need the authorization part that allows users to now get into FA OIDC protected apps, without having to login again.
Are you using an OIDC compliant SSO?
No, we have a custom SSO, based on forms auth, with some old Open Id 2.0 and custom "SSO" links behind it on a portal page. Once logged in, you click over to these sites from the portal page. We want to move from Open Id 2.0 to OIDC and SAML, where appropriate.
If you could elaborate a bit on your current implementation and the steps you would like to have occur, I may be able to offer a few more pointers.
Initial phase (6 months), we want to do something like this:
6 months will allow us to clean up our user base, finish evaluating FA custom registration forms, and get our FA custom themes done.
In the meantime, we still want our users to be able to use our custom SSO to get to their sites daily, with no drastic changes in the current, custom SSO site.
After 6 months, we want our login process to look like this:
We will basically strip the old SSO site of any SSO capability and give that to FA, which will turn it into a regular OIDC protected page, which requires login to styled FA login page to get authenticated and authorized to allowed apps.
Does this make make sense?
We are basically stuck on the SSO session part. We can login (authenticate) with FA, but now we need to authorize our users into to their registered OIDC sites without them having to login to FA again.
Thanks for any help.