In our enterprise application the WPF client is communicating with services using Client certificates. There are a few Server processes running and they authenticate and authorize WPF clients by using client certificates (There is no IIS service).
Now we are in the process of creating a Xamarin Forms/iOS app. And there is an IIS service as a middle man to talk to enterprise services. So there are couple of security layers for the mobile app. Only domain/authorized users can talk to the IIS service. So, mobile client needs to be able to talk to the IIS and then IIS should be able to identify the user and then it needs to pass the appropriate client certificates to other services. Unfortunately this is the complex security system we have at the moment and it seems to be difficult.
I am just wondering if you have any experience in such enterprise applications and wondering what’s the best way to handle such security layers?