Has anyone implemented such solution? Short description:

- the app is behind AccessGateway, and its URL is protected with SecureName/Password authentication
- the app is also SAML2 integrated with the IdentityServer, and supports sending AuthnRequests and receiving AuthnReplies

Simple scenario how it is supposed to work:

- the user writes the app URL in his browser, which resolves to the IP of the Access Gateway reverse proxy service. No communication with the app yet.
- since the URL is protected, the browser gets redirected to the Identity Server, where the SecureName/Password Form is presented for the user to authenticate. No communication with the app yet.
- the user logs in successfully, then his browser gets redirected to the Access Gateway reverse proxy service. Now there is the communication with the app. The app generates the AuthnRequest and sends it back with a redirect of the user browser to the Identity Server again.
- the Identity Server receives the AuthnRequest, but since the user is already authenticated (previous step), the Identity Server sends him back the AuthnResponse right away (without asking second time for login).
- the user browser posts the AuthnRequest to the app URL (in reality it is the IP of the Access Gateway reverse proxy service) and the app logs him in and returns the requested web content.

Any general considerations against such a solution?

Cheers,
Milko