Thank you guys for the responses. In the end, we've decided to control the authentication with one cookie and, for each apllication, we test if that cookie is set or if the application is logged-in.
When the user load the page, the application will check for a specific cookie (a cookie saying that somewhere else, that user is authenticated), if the cookie is set, he will log-in into Gluu for the current application. Else, he will ignore, and let the user surf anonymously. The cookie is set when the user gets authenticated in the application. There is a condition like this:
```
if(application.HasUserSession() && !isLoginCookieSet())then
setLoginCookie();
else if(isLoginCookieSet() && !application.HasUserSession())then
//Application will call gluu
gluuAuthentication();
end;
```
The steps for a non authenticated user will be:
1. Open Application as Anonymous (Fail to verify user and cookie).
2. Click login (redirectto Gluu).
3. SAML2 authentication process then redirected back to Application.
4. On page load, Application check if there is a user in its session (if there is a user, it will set the cookie).
5. User logged-in.
The steps for an user authenticated in another application will be:
1. Open Application as Anonymous (Verified cookie, but no application session).
2. The application will redirect to Gluu authentication
3. SAML2 authentication process then redirected back to Application.
5. User logged-in.
If you guys have any suggestion, we would be much appreciated.
Thanks again.