We are currently working on a Dockerized front-end web application setup, which queries two different documentum application (content management) repositories and merges the result-set on the front-end application. We want to enable SSO for this application using Mujina for our dev/testing environment. As we understand, we need have pre-defined roles configured within Mujina and users need to be part of those roles in order to login using SSO. The two back-end applications have seperate roles, users and groups defined and the user should have proper permissions in order to return results in the query from their respective repository. In this scenario, should our two backend applications need to have a common role defined or can SAML 2.0 be configured with two seperate roles with a common cert in the SP and IDP applicable for both the scenarios.
Please advise.

The whole idea of using an SAML IdP is that the users are maintained / identified by the IdP. Normally a SP would provision new users and / or recognise existing users after a successful authentication response is send back by the IdP to the SP. If the two back-end applications have their own users and groups defined independent of the IdP then this is not a scenario where SAML SSO is applicable.

Hi Okke, Thanks for the note. To clarify further on my query, though both backend applications have their own users and groups (but they are the same users essentially), and they both get synched through LDAP. The two back-end applications typically have their own front-ends as well (not applicable for this scenario, wherein we are implementing Mujina too - but that's a typical SP initiated flow (from individual applications authenticating via Mujina IDP). In this case, we have a front end client sitting on top of both the application repositories and providing a search result-set by joining the results from both back-end repositories. The only mandatory requirement we have here is that the user needs to be logged in and authenticated automatically by both the back-end repositories when he logs into this front-end and the result set will only show when he achieves authentication from both the repositories. Partial authentication based on either one of them should not show any search results and should throw an authentication error. Can one IDP be used to have user logged in to this front-end, the user can be a member of both the back-end repositories. Hope this provides a better perspective for my query. Please advise.