SSO module changelog

Magnolia SSO 4.0.0 is in beta with Magnolia 6.3.

We are updating docs based on development and feedback. Consider the beta docs currently in a state of progress and not final.

The changelog gives you an overview of the changes made to the SSO module at each release.

This changelog covers the 4.0.x branch of the SSO module. For the 3.1.x changelog, see here.


Not yet publicly released

This release lets you connect with multiple identity providers and ensures access to your Magnolia instance by allowing your SSO system to fall back to Magnolia users stored in the JCR when required.

Ticket Type Description


Ability to use default Magnolia login as well as SSO login. See Configuring a fallback login.


Add support for authorisation of web pages.


Introduce a new SsoLoginHandler for delegating requests to Pac4j.

Upgrading from SSO 3.1.x to 4.0.0

SSO 4.0.x module introduces several important updates and requirements.

Each section below details specific actions and modifications needed to ensure a smooth upgrade and continued functionality.

Make sure you test the upgraded module on a development environment before proceeding.


SSO 4.0.x is compatible with Magnolia CMS 6.2.44 and later, including Magnolia CMS 6.3.x. When you upgrade to SSO module 4.0.0, you must also upgrade Magnolia to v6.2.44 or later.

Magnolia 6.2.44 brings required changes (MAGNOLIA-9200) to the interface and centralizes the login and logout logic into the handlers, which are configured under

Configuration changes

If you use SSO 3.1.x and upgrade to 4.0.x, you must update your configuration in your /magnolia-sso/config.yaml file or the module won’t start.

You must remove the following properties:

  • path

  • postLogoutRedirectUri

Removed classes

SSO 4.0.0 removes the following classes:

  • info.magnolia.sso.SsoLoginFilter

  • info.magnolia.sso.SsoLogoutFilter

If you have a custom implementation based on these classes, you must change it.

Enabling the JCR-based fallback login

If you plan to make use of the optional fallback login functionality provided in SSO 4.0.0, we recommend updating your JAAS configuration during the upgrade process because making changes to your jaas.config file requires you to restart the instance.

While updating the jaas.config file is not necessary for SSO to function correctly, it’s required to enable the JCR-based fallback functionality.

For SSO Login Extension module users

The sso-login-extension incubator module can’t be installed with SSO 4.0.0 and later. You must adapt your configuration to replace the functionality previously offered by the sso-login-extension incubator module with the equivalent functionality in SSO 4.0.0.

  1. Uninstall the sso-login-extension module.

  2. Edit your jaas.config file so that it looks like this:

    sso-authentication {
      info.magnolia.sso.jaas.SsoAuthenticationModule requisite;
      info.magnolia.jaas.sp.jcr.JCRAuthorizationModule required;
  3. Revert your configuration to this:

    /server/filters/login/class = info.magnolia.sso.SsoLoginFilter
    /server/filters/securityCallback/clientCallbacks/magnolia-sso/class = info.magnolia.sso.UserInitiatedRedirectClientCallback

    Since it is a change in the configuration of the login, you need to use a groovy script or do it in rescue mode.

  4. Remove the following dependency from your project:

  5. Install SSO module 4.0.x.

  6. Reconfigure the SSO module to achieve the same behavior as before.

    The sso-login-extension incubator module uses a JCR configuration to define the paths to be protected on login. In contrast, the SSO module uses roles that deny access to a specific part of the site, effectively protecting them during login.


DX Core



This widget lets you know where you are on the docs site.

You are currently perusing through the SSO module docs.

Main doc sections

DX Core Headless PaaS Legacy Cloud Incubator modules
6.3 beta

Magnolia 6.3 beta

Magnolia 6.3 is in beta. We are updating docs based on development and feedback. Consider the 6.3 docs currently in a state of progress and not final.

We are working on some 6.3-beta known issues during this phase.