Single Sign-On Across Web Applications and Web Services

The requirement is to have single sign-on across different web applications - once a user is authenticated they should be able to access all the web applications with no further authentication. Also, the web applications need to access a set of back-end services with the logged in user's access rights and the back-end services authorize the user [end-user] based on different claims, like roles.

1. The user accesses the link to the WebApp.
2. The WebApp finds out the user is not authenticated and redirects to the SAML2 IdP.
3. SAML2 Idp checks whether the user has an authenticated session - if not it will prompt for credentials. Once authenticated, the user is redirected back to WebApp with a SAML token, with the set of claims requested by the WebApp.
4. The WebApp needs to access a back-end Web Service with the logged in user's access rights. WebApp passes the SAML token to the PEP based on WS-Trust and authenticates itself [WebApp] to the PEP via a trusted sub-system pattern.
5. PEP calls XACML PDP to authorize the user based on the claims provided in the SAML token.
6. XACML PDP returns back the decision to the PEP.
7. If it is a 'Permit', PEP allows the user to access the back-end Web Service.