SSO module changelog
The changelog gives you an overview of the changes made to the SSO module at each release.
This changelog covers the 4.0.x branch of the SSO module. For the 3.1.x changelog, see here.
|
4.0.0
Released on September 4, 2024
This release lets you connect with multiple identity providers and ensures access to your Magnolia instance by allowing your SSO system to fall back to Magnolia users stored in the JCR when required.
Ticket | Type | Description | ||||
---|---|---|---|---|---|---|
Ability to use default Magnolia login as well as SSO login. See Configuring a fallback login. |
||||||
Add support for authorisation of web pages. |
||||||
Introduce a new |
||||||
Move |
||||||
Redirect to the JCR login page when JCR users log out. |
||||||
Support multiple OIDC clients. |
||||||
Can’t access Admincentral when SSO is in the webapp. |
||||||
Create a way to get the full name of a user given its ID.
|
||||||
Support multiple domains for the |
Upgrading from SSO 3.1.x to 4.0.0
SSO 4.0.x module introduces several important updates and requirements.
Each section below details specific actions and modifications needed to ensure a smooth upgrade and continued functionality.
Make sure you test the upgraded module on a development environment before proceeding. |
Compatibility
SSO 4.0.x is compatible with Magnolia CMS 6.2.44 and later, including Magnolia CMS 6.3.x. When you upgrade to SSO module 4.0.0, you must also upgrade Magnolia to v6.2.44 or later.
Magnolia 6.2.44 brings required changes (MAGNOLIA-9200) to the info.magnolia.cms.security.auth.login.LoginHandler interface and centralizes the login and logout logic into the handlers, which are configured under info.magnolia.cms.security.LogoutFilter.
Configuration changes
If you use SSO 3.1.x and upgrade to 4.0.x, you must update your configuration in your /magnolia-sso/config.yaml
file or the module won’t start.
You must remove the following property:
-
path
Additionally, indexing is disabled for the profiles
workspace from Magnolia 6.2.43
and later 6.2
releases.
You must add the following entry to the workspace.xml
file:
-
SearchIndex
Click here to see the XML for the
SearchIndex
entry.<SearchIndex class="info.magnolia.jackrabbit.lucene.SearchIndex"> <param name="path" value="${wsp.home}/index"/> <!-- SearchIndex will get the indexing configuration from the classpath, if not found in the workspace home --> <param name="indexingConfiguration" value="/info/magnolia/jackrabbit/indexing_configuration_${wsp.name}.xml"/> <param name="useCompoundFile" value="true"/> <param name="minMergeDocs" value="100"/> <param name="volatileIdleTime" value="3"/> <param name="maxMergeDocs" value="100000"/> <param name="mergeFactor" value="10"/> <param name="maxFieldLength" value="10000"/> <param name="bufferSize" value="10"/> <param name="cacheSize" value="1000"/> <param name="forceConsistencyCheck" value="false"/> <param name="autoRepair" value="true"/> <param name="queryClass" value="org.apache.jackrabbit.core.query.QueryImpl"/> <param name="respectDocumentOrder" value="true"/> <param name="resultFetchSize" value="100"/> <param name="extractorPoolSize" value="3"/> <param name="extractorTimeout" value="100"/> <param name="extractorBackLogSize" value="100"/> <!-- needed to highlight the searched term --> <param name="supportHighlighting" value="true"/> <!-- custom provider for getting an HTML excerpt in a query result with rep:excerpt() --> <param name="excerptProviderClass" value="info.magnolia.jackrabbit.lucene.SearchHTMLExcerpt"/> </SearchIndex>
-
After doing so, remove the
index
folder in the same location (repositories/magnolia/workspaces/profiles
) if it exists.
Removed classes
SSO 4.0.0 removes the following classes:
-
info.magnolia.sso.SsoLoginFilter
-
info.magnolia.sso.SsoLogoutFilter
If you have a custom implementation based on these classes, you must change it.
Enabling the JCR-based fallback login
If you plan to make use of the optional fallback login functionality provided in SSO 4.0.0, we recommend updating your JAAS configuration during the upgrade process because making changes to your jaas.config
file requires you to restart the instance.
While updating the jaas.config
file is not necessary for SSO to function correctly, it’s required to enable the JCR-based fallback functionality.
For SSO Login Extension module users
The sso-login-extension
incubator module can’t be installed with SSO 4.0.0 and later.
You must adapt your configuration to replace the functionality previously offered by the sso-login-extension
incubator module with the equivalent functionality in SSO 4.0.0.
-
Uninstall the
sso-login-extension
module. -
Edit your
jaas.config
file so that it looks like this:sso-authentication { info.magnolia.sso.jaas.SsoAuthenticationModule requisite; info.magnolia.jaas.sp.jcr.JCRAuthorizationModule required; };
-
Revert your configuration to this:
/server/filters/login/class = info.magnolia.sso.SsoLoginFilter /server/filters/securityCallback/clientCallbacks/magnolia-sso/class = info.magnolia.sso.UserInitiatedRedirectClientCallback
Since it is a change in the configuration of the login, you need to use a groovy script or do it in rescue mode.
-
Remove the following dependency from your project:
<dependency> <groupId>info.magnolia.sso</groupId> <artifactId>sso-login-extension</artifactId> <version>1.0.2</version> </dependency>
-
Install SSO module
4.0.x
. -
Reconfigure the SSO module to achieve the same behavior as before.
The
sso-login-extension
incubator module uses a JCR configuration to define the paths to be protected on login. In contrast, the SSO module uses roles that deny access to a specific part of the site, effectively protecting them during login.