On one of our teams, we’ve been rapidly and individually developing or deploying a large number of dedicated web services. Some we build (using Django, Flask, Node, etc.), others are open source projects we just run (e.g. Wekan, Nifi, etc.). We maintain SSO for centralizing credentials and permissions for users, developers, and admins, and run a combination of KeyCloak (which provides both OIDC and SAML), for application user management, and Dex, for controlling Kubernetes credentials (all services are deployed within that cluster).
We’re very quickly running into difficulties actually making SSO work, however. Every application and web framework has a different way of integrating SSO, if it supports it at all. We’ve had to ditch a few capabilities because they didn’t readily work with our SSO infrastructure. We’re becoming increasingly hesitant to deploy new types of services because the time cost of integrating SSO is significant each time. In the long run, it’s probably less effort than maintaining separate credentials on every single service, but not by much, at least in the short term.
My question is this: since we control our network and cluster, is there a good or common way of setting up a single web portal that integrates with SSO, then embeds or proxies the individual services, which could then either be unsecured (but only reachable from that SSO-enabled proxy) or have user identity passed along somehow? Is this a common thing to do with well-defined protocols or common open-source solutions? Or is there a reason I can’t find a way to do this? It seems like there should be some authentication/identity equivalent to SSL termination.