SSO Module

Edition

DX Core

License

MLA

Issues

MGNLSSO

Maven site

SSO

Latest

3.0.1

The SSO module handles authentication for the instance on which it is installed. Read this page carefully and test the module on a development environment before proceeding to ensure installation does not break your instance.

The Magnolia SSO (single sign-on) module delegates authentication from a Magnolia instance to an OpenID Connect identity and access management application. The current iteration of the module has been successfully tested with open source Keycloak and cloud identity management software Okta, but all providers that follow the protocol should also be supported.

As Magnolia is already capable of full-fledged security, the intent is to only replace the authentication mechanism. A user on a third-party system with roles and groups is mapped to the equivalent Magnolia user roles and groups.

The SSO module version 3.0.0+ is compiled with Java 11, so you need Java 11 or higher for runtime.

Installing with Maven

Maven is the easiest way to install the module. Add the following to your bundle:

<dependency>
  <groupId>info.magnolia.sso</groupId>
  <artifactId>magnolia-sso</artifactId>
  <version>3.0.1</version>
</dependency>

Prerequisites

A running Open ID Connect (OIDC) IAM instance on which you have administrative rights is required for the setup to work. Any IAM instance should work, as long as it is configured in the manner described in this document.

If using Keycloak: Keycloak’s own Server Administration Guide is an excellent resource to help with configuring the properties that’ll get brought up below.

If you use Keycloak and intend to deploy it by code, then take a look at the SsoModuleIT class and the module’s test Docker Compose setup. The module’s integration tests configure Keycloak from scratch.

Prerequisite Description

Prerequisite	Description
a user	required Its username and password are used to access Admincentral. It should have names as well as an email.
a group	required When the user logs in, it has to belong to at least one group defined in the group mappings. That’s how the necessary access to Magnolia is granted.
an OIDC client	required With the following properties:
a name	required Must be the same as the one used in the YAML configuration of the module.
the `openid-connect` protocol	required
a confidential access type	required This is required to generate credentials.
credentials	required Those must be shared with the YAML configuration of the module.
a redirect URI	required That points back to Magnolia, e.g. `http://localhost:8080/*`.
a Group Membership mapper	required By convention, this is required in order to include the user’s groups in the `groups` property, see GroupsAuthorizationGenerator. Without this data, a user won’t be assigned any Magnolia permission, and hence won’t be able to go past the login screen. Here’s how to configure the mapper in various applications: Okta Azure Keycloak

a user

required

Its username and password are used to access Admincentral. It should have names as well as an email.

a group

required

When the user logs in, it has to belong to at least one group defined in the group mappings. That’s how the necessary access to Magnolia is granted.

an OIDC client

required

With the following properties:

a name

required

Must be the same as the one used in the YAML configuration of the module.

the openid-connect protocol

required

a confidential access type

required

This is required to generate credentials.

credentials

required

Those must be shared with the YAML configuration of the module.

a redirect URI

required

That points back to Magnolia, e.g. http://localhost:8080/*.

a Group Membership mapper

required

By convention, this is required in order to include the user’s groups in the groups property, see GroupsAuthorizationGenerator. Without this data, a user won’t be assigned any Magnolia permission, and hence won’t be able to go past the login screen. Here’s how to configure the mapper in various applications:

Okta
Azure
Keycloak

okta

azure

keycloak

Configure via yaml

This section explains how to configure the SSO module for Magnolia 6.2. It focuses on configuring the setup for an OIDC provider. This has to be done with a resource file located in /magnolia-sso/config.yaml.

From version 3.x, the SSO module no longer supports configuration via a YAML decorator.

Create config.yaml under <magnolia.resources.dir>/magnolia-sso/.

Take a look at the full .yaml file here. Required steps are marked with callouts. We’ll step through each part of it in the subsequent steps.

config.yaml

path: /.magnolia/admincentral (1)
callbackUrl: http://localhost:8080/.auth (1)
postLogoutRedirectUri: http://localhost:8080/.magnolia/admincentral
authorizationGenerators: (1)
  - name: fixedRoleAuthorization
    fixed:
      targetRoles:
        - superuser
      targetGroups:
        - …
  - name: groupsAuthorization
    groups:
      mappings:
        - name: magnolia-sre
          targetGroups:
            - publishers
          targetRoles:
            - …
clients: (1)
  oidc.id: 0o...x7
  oidc.secret: aK...th6
  oidc.clientAuthenticationMethod: client_secret_basic
  oidc.scope: openid profile email
  oidc.discoveryUri:  https://YOUR_URI/oauth2/aus...0x7/.well-known/openid-configuration
  oidc.preferredJwsAlgorithm: RS256
  oidc.authorizationGenerators: groupsAuthorization

userFieldMappings: (1)
  name: preferred_username
  removeEmailDomainFromUserName: true
  removeSpecialCharactersFromUserName: false
  fullName: name
  email: email
  language: locale

1	Required fields.

Specify the path: where where you want to use the SSO Module. Typically, this is /.magnolia/admincentral.
```
path: /.magnolia/admincentral
...
```
Specify the callbackUrl. This consists of the instance’s absolute URL (the defaultBaseUrl, http://localhost:8080 below) and the relative path to the SSOCallbackServlet (/.auth).
```
path: /.magnolia/admincentral
callbackUrl: http://localhost:8080/.auth (1)
...
```
1 defaultBaseURL is the default base URL of the server root. It can be found at config/server/defaultBaseUrl in Magnolia. See Configuration management. For more details, see Field descriptions.
If desired, set a postLogoutRedirectUri. This is optional and is the URI to which users are redirected after logging out.
```
path: /.magnolia/admincentral
callbackUrl: http://localhost:8080/.auth
postLogoutRedirectUri: http://localhost:8080/.magnolia/admincentral (1)
...
```
1 If undefined, it goes back to the user’s current URL. For more details, see Field descriptions.

List the authorizationGenerators. This defines the groups and roles for your client.

path: /.magnolia/admincentral
callbackUrl: http://localhost:8080/.auth
postLogoutRedirectUri: http://localhost:8080/.magnolia/admincentral
authorizationGenerators: (1)
  - name: groupsAuthorization
    groups:
      mappings:
        - name: magnolia-sre
          targetGroups:
            - publishers
          targetRoles:
            - …

1	This step simply defines your mappings. You need to call it inside your `clients:` configuration in this `config.yaml` to use it. For more details, see Field descriptions.

Set the following under clients:

...
clients:
  oidc.id: 0o...x7 (1)
  oidc.secret: aK...th6 (1)
  oidc.clientAuthenticationMethod: client_secret_basic (2)
  oidc.scope: openid profile email (3)
  oidc.discoveryUri:  https://YOUR_URI/.well-known/openid-configuration (4)
  oidc.preferredJwsAlgorithm: RS256 (5)
  oidc.authorizationGenerators: groupsAuthorization (6)

  oidc.id.2: 0o...g3 (7)
  oidc.secret.2: l3...jE3
  oidc.clientAuthenticationMethod.2: client_secret_basic
  oidc.scope.2: openid profile email
  oidc.discoveryUri.2:  https://YOUR_URI/.well-known/openid-configuration
  oidc.preferredJwsAlgorithm.2: RS256
  oidc.authorizationGenerators.2: groupsAuthorization

1	You’ll find the `id` and `secret` with your OIDC provider configuration.
2	Defines how the client credentials (client ID and secret) are passed to the token endpoint. Supported methods are: `client_secret_basic`, `client_secret_post` and `private_key_jwt`.
3	Defines the user data that the Magnolia instance should be allowed to request from OIDC. For more on `scope`, see here. The `openid`, `profile`, and `email` scopes are mandatory. For more details, see Field descriptions.
4	The IAM instance’s auth endpoint URL. This must be tweaked according to your OIDC provider.
5	The `preferredJwsAlgorithm`. This is typically `RS256.`
6	Defines the authorization generator names to use for the client as set in the `authorizationGenerators` section in this `config.yaml` file. For more details, see Field descriptions.
7	Define a second client with the `.2` suffix. For more details, see Field descriptions.

Update your custom field mappings under userFieldMappings property. For more details, see Field descriptions.

...
userFieldMappings:
  name: email (1)
  removeEmailDomainFromUserName: true (2)
  removeSpecialCharactersFromUserName: false (3)
  fullName: name
  email: email
  language: locale

1	Required `name` is a required field for the Magnolia User. Typically the value that you get from the Oidc profile attribute name is `preferred_username` or `email`.
2	Optional `removeEmailDomainFromUserName` is `true` by default. This is a built-in formatter to remove the email domain from the name attribute (e.g., `test-user@domain.com` will be `test-user` if this config is set to `true`).
3	Optional `removeSpecialCharactersFromUserName` is `false` by default. This is a built-in formatter to remove all special characters from the attribute except dots, hyphens, and underscores.

Field descriptions

Callout Description

path

Required Describes on which path the SSO module should kick in. /.magnolia/admincentral is the default for most cases.

callbackUrl

Required The URL of Magnolia’s callback servlet. This URL is made up of the instance’s absolute URL (in this case, http://localhost:8080) as well as the relative path to SSOCallbackServlet, which is /.auth by default.

Since SSO Module 1.1.1, if the supplied callbackUrl is a relative path, it is automatically prefixed with the instance’s defaultBaseUrl property. This requires the property to be properly defined in the first place. All users including anonymous must have access to /.auth. From SSO module 2.0.3, this is possible by assigning users the sso-redirect-uri-authorizer role.

postLogoutRedirectUri

Optional The URI to where the user is returned after logging out. If the property is not defined, it falls back to the user’s current URL. This must be an absolute URL.

Property defined: Jane is working on http://localhost:8080/.magnolia/admincentral and she logs out. Jane is redirected to http://localhost:8080/.magnolia/admincentral/logout.
Property not defined: Jane is working on http://localhost:8080/.magnolia/admincentral and she logs out. Jane is redirected back to http://localhost:8080/.magnolia/admincentral.

authorizationGenerators

Required A list of configured authorization generators as part of a specified client. Currently, we support both Fixed and Group authorization. After defining these here, you need to call them in the clients: field in this config.yaml file.

Groups generator
Fixed role generator

This generator should be used when different security levels in the IDP should be mapped to equivalent Magnolia roles and groups. Given a user’s groups on a third-party IAM management instance, the generator maps the group(s) to one or multiple Magnolia roles. The following example assigns the superuser role to a group of administrators.

authorizationGenerators:
  - name: groupsAuthorization
    groups:
      mappings:
        - name: magnolia-sre
          targetGroups:
            - publishers
          targetRoles:
            - …

When working with Azure Active Directory, group IDs (rather than names) must be used. To increase transparency, add the actual group’s name as a comment. See the following example.

authorizationGenerators:
  groups:
    mappings:
      - name: ea0b1d9f-c8fc-4b99-9f76-8a92abbbb496: # sysadmins
        targetRoles:
          - …

The fixed role generator gives all users the same permissions.

authorizationGenerators:
  - name: fixedRoleAuthorization
    fixed:
      targetRoles:
        - superuser
      targetGroups:
        - …

This generator shouldn’t be used in production but it can be a good starting point for settings things up or where group mappings aren’t possible. For instance, with Google Cloud, where manual verification of the application must happen before the user’s groups can be queried.

clients

Required A set of properties for different clients (Oidc and DirectBearerAuthClient with oidc and http.bearer prefix respectively). This is where you define the client IDs, secrets, and scopes. You can enter multiple clients here as shown in the example. Each client requires a name, secret, clientAuthenticationMethod, scope, discoveryUri, authorizationGenerators and authenticator (only requires for Pac4j’s DirectBearerAuthClient with http.bearer properties prefix) as shown below.

You can define multiple clients of the same type by adding a number at the end of the properties: oidc.id.2, http.bearer.id.2.

http.bearer client

An http.bearer client can be configured to support a use case like getting resources or content from Magnolia via REST calls with Bearer authentication. Check out the Okta concepts docs for more details: Resource Owner Password flow and Client Credentials flow. Find out more in Pac4j Clients concepts.

clients:
  http.bearer.id: 0oa1imrwonnyHpIvI0x7
  http.bearer.secret: aKzLmsj...tIL8HKkh6
  http.bearer.clientAuthenticationMethod: client_secret_basic
  http.bearer.scope: openid profile email
  http.bearer.discoveryUri:  https://YOUR_URI/oauth2/aus...0x7/.well-known/openid-configuration
  http.bearer.preferredJwsAlgorithm: RS256
  http.bearer.authorizationGenerators: fixedRoleAuthorization
  http.bearer.authenticator: oidc-userinfo

oidc client field description

id

The client ID. You get this from your OIDC provider configuration.

secret

The client secret. You get this from your OIDC provider configuration.

clientAuthenticationMethod

Defines how the client credentials (client ID and secret) are passed to the token endpoint.

Supported methods (values):

client_secret_basic
client_secret_post
private_key_jwt

scope

Defines the user data that the Magnolia instance should be allowed to request from OIDC.

The openid, profile, and email scopes are mandatory in order for Magnolia to create a user account with basic information about the user. For users that implement refresh tokens with Azure, you can add the offline_access scope as well.

discoveryUri

The IAM instance’s auth endpoint URL.

This must be tweaked according to your project.

authorizationGenerators

Defines the authorization generator names to use for the client. Refer to the name of the configured authorization generators.

You can define multiple authorization generators separated by commas, e.g.,: groupsAuthorization, editorGroupsAuthorization

authenticator

The HTTP clients require that you define an Authenticator to handle the credentials validation.

This property is required for the http.bearer properties prefix only. It only supports 2 authenticators. Possible values for this property are: oidc-userinfo and token-introspection.

oidc-userinfo: This UserInfoOidcAuthenticator is provided by Pac4j which authenticates the request with a Bearer Token using the Oidc UserInfo endpoint.
token-introspection: This implementation of Authenticator will authenticate the request with a Bearer Token using the Token Introspection endpoint. Please note that some Identity providers (IdP) do not support the Token Introspection endpoint, please make sure it is fully supported before configuring this authenticator.

userFieldMappings

Required

Authentication services use different attribute names for user information. Because of this, it is necessary to map the retrieved response to a standard set of user attributes used within the SSO module. This contains key-value pair mappings where the key is the property name which will be stored within the properties of Magnolia’s info.magnolia.cms.security.ExternalUser and the value is the attribute name in the OIDC profile.

If the identity provider does not return a name attribute in the OIDC profile, Magnolia deduces it from the email attribute by excluding the domain.

Where fabien@example.com becomes fabien.

Configure JAAS

The instance’s JAAS configuration (see JAAS security set up) must be edited and only contain the following:

JAAS configuration

sso-authentication {
  info.magnolia.sso.jaas.SsoAuthenticationModule requisite;
  info.magnolia.jaas.sp.jcr.JCRAuthorizationModule required;
};

SSO Module compatibility

Module version Third-party APIs tested against

3.0

Keycloak 16.1.1

See here for more on Keycloak 16.1.1.

2.0

Azure Active Directory

We exclusively support the 2.0 version of the endpoint. This means the URL should look like https://login.microsoftonline.com/…/v2.0/.well-known/openid-configuration.

2.0

Google Cloud Identity

1.1

Keycloak 9.0.3

1.1

Okta 2021.03.3+