My company has applications on cloud and intranet. Also, we have various roles such as employee, customers, partners etc. We would like ID federation between services hosted on public cloud and internal applications. Following scenarios are possible
- Employee accessing cloud services from intranet
- Employee, customers, partners accessing cloud services from internet
- Cloud hosted services accessing data services hosted internally on corporate network
- Employee, customers, partners accessing web applications/services hosted internally on corporate network from internet.
- Employee, customers, partners accessing web applications/services hosted internally on corporate network from intranet.
Whenever access is from internet to either internally hosted applications or cloud based applications, SSO should be created via multi-factor authentication, but if same applications are accessed from intranet, either userid-password is enough or if user is an employee, company SSO should be federated to cloud based services/applications.
We are debating if there are any pros or cons of having two Identity providers, one deployed in DMZ and other in internal network. The one in DMZ will enforce access going from intranet to cloud based services or users accessing cloud based services from internet will get federated to this IDP. Also, users from internet trying to acccess internal applications will get multi factor authenticated by this IDP in dmz. The IDP inside the internal network is used only for employees accessing intranet applications.
My question is that is the above kinda dual IDP a standard way to allow access? What is the harm of having only one IDP ?