SSO across access-ci.org sites

[jbasney]

The current state of ACCESS Web SSO is:

• idp.access-ci.org maintains an SSO session, so users do not need to enter password with Duo multiple times.
• cilogon.org shows ACCESS branded pages with the ACCESS CI IdP selected by default
• cilogon.org maintains an SSO session per site (i.e., a separate session for operations.access-ci.org and support.access-ci.org)

This feature request is for cross-site SSO, as follows:

• The user clicks "sign in" on operations.access-ci.org and goes through the usual sign in process.
• Then the user clicks "sign in" on support.access-ci.org and signs in without any cilogon.org landing page. Bypassing the cilogon.org landing page during this step is the new feature that's not yet implemented.

Note that this will apply only to access-ci.org sites. Sites on other domains using ACCESS authentication will still see the cilogon.org landing page (for consent purposes).

In any case, users will always have the option to check the "Remember this selection" checkbox to bypass the cilogon.org landing page.

[jbasney]

CILogon update planned for Mon Oct 17: https://cilogon.statuspage.io/incidents/hm97jc36qspy

[jbasney]

CILogon is now doing SSO for access-ci.org sites.