Federated authentication (SSO) and Service Provider maintained sign in can co-exist in the system, but this has account management problems. Consider your HR system has the following.
For example, when an employee leaves the organization, it is required to delete him from both places manually. This is error prone.
In order to overcome this problem, it is better if the system can give an option to disable maintaining passwords at their end, when there is an external IdP.
When an organization decides that they want federated authentication only, the system must provide a way to disable local authentication mechanisms. This means,
- Show only the Identity Provider Sign In option in login screen
- Forgot password link is not there in system login screen
- Existing passwords get scrambled
- Users cannot reset passwords from the their profile
Now comes the interesting question, how is my mobile app going to work? It can be done in One of the two ways.
- Users can go to profile and generate a pin number for the mobile app
- Implement SSO for mobile app. Here SAML based SSO is challenging because it is based on browser redirects but Native SSO support is available based on OIDC (Open ID Connect ) and OAuth