Admin

The Admin section lets you manager Cockpit users, AdminCentral groups, and Organisations.

It’s a good idea to manage access to your DX Cloud subscription. You an easily handle this using the Admin section in your Cockpit. Here, you can create and manage users, and create user groups for your subscription as well as perform administrative operations like password resets, or creating business units (Organisations).

Manage users

You can manage existing users directly from the Cockpit under the Access section. This includes:

Adding a user

You can add a new user to your DX Cloud subscription directly from the Cockpit under the Access section.

  1. Go to Admin > Users.

  2. Click Add.

    1. If desired, click Active to immediately activate the user upon creation.

    2. Input the user email.

    3. Give the user a First Name.

    4. Give the user a Last Name.

    5. Add the user to the appropriate groups.

      Groups list

      Click the group for details on what roles are included in each group.

      Cockpit groups
      Rancher groups

    6. Don’t forget to click Add.

      create new user

User status

The user list allows you to quickly understand the status of the user.

  • Active Active users are represented by a green badge.

  • Inactive Active users are represented by a gold badge.

  • Not verified Unverified users are represented by a red badge.

Editing a user

  1. Go to Admin > Users.

  2. Scroll to the desired user.

  3. Click Edit.

  4. In the dialog window, edit the user as needed.

  5. Don’t forget to click Edit.

Deleting users

  1. Go to Admin > Users.

  2. Scroll to the desired user.

  3. Click Delete.

  4. In the dialog window, click Delete to confirm that you definitely want to delete the user.

Reset user credentials

You can reset a user’s password or One-time Password (OTP) directly from the Cockpit under the Admin section.

SSO users

If you’re using SSO for your DX Cloud subscription, you are unable to reset the password of those users logging in via Single Sign-On, as the password is managed via the OIDC provider.

  1. Go to Admin > Users.

  2. Scroll to the desired user.

  3. Click Reset credentials. In the dialog, choose to:

    • Reset password Initiates password reset process

    • Reset OTP Initiates One-time Password (OTP) reset process

      An email is sent to the user. Users should follow instructions to reset their password and/or OTP credentials.

      reset credentials

Create user group

You can create a new user to your DX Cloud subscription directly from the Cockpit under the Admin section.

  1. Go to Admin > AdminCentral groups.

  2. Click Add.

    1. Give the group a meaningful name.

    2. Click the users that you want to add to the group.

      If you accidentally click the wrong user, you can click them again and they’ll return to the Available group.

    3. Don’t forget to click Add.

      create user group

Group access AdminCentral

If using the SSO module for authentication, you need to ensure the groups created in the Cockpit are granted access via the configuration in the SSO module.

  1. Create a group in the Cockpit.

    No special roles are needed for AdminCentral access.

  2. Assign users to the group. These are the users who you want to be able to access AdminCentral.

  3. In the SSO module, ensure the group name created in the Cockpit is defined in the config.yaml file. See the SSO module configuration section for more details.

    path: /.magnolia/admincentral
callbackUrl: http://localhost:8080/.auth
postLogoutRedirectUri: http://localhost:8080/.magnolia/admincentral
authorizationGenerators:
  - name: groupsAuthorization
    groups:
      targetProperty: groups
      mappings:
        - name: /COCKPIT_GROUP (1)
          targetGroups: (2)
            - editors
          targetRoles: (3)
            - editor
    1 Where /COCKPIT_GROUP is the name of the group you created in the Cockpit. If using Keycloak, the leading / is mandatory.
    2 Defines the target group for the mapped group.
    3 Defines any particular target roles for the group.

Add Organisation

You can create an Organisation so that you can group access to certain parts of your DX Cloud project based on a business unit or organisation. You can define access to clusters, domains, and namespaces this way and explicitly choose the users that are part of the unit.

  1. Go to Admin > Organisations.

  2. Click Add.

    1. Give the organisation a meaningful name.

    2. Give the organisation a meaningful description.

    3. Choose the Cluster Ids for which you want to grant access.

    4. Choose the Domains for which you want to grant access.

    5. Choose the Namespaces for which you want to grant access.

    6. Click the users that you want to add to the organisation.

      If you accidentally click the wrong user, you can click them again and they’ll return to the Available group.

    7. Don’t forget to click Add.

      create business unit

SSO clients

Our SSO module enables secure, authentication by integrating with your Identity Provider (IDP). This lets your users access a Magnolia instance using their existing credentials, streamlining workflows and enhancing security.

sso client overview

For DX Cloud deployments, configuring an SSO client is essential to connect your IDP to Magnolia.

If your IDP uses SAML instead of OIDC, we need to bridge the gap by routing authentication through Keycloak. Proper client configuration ensures smooth and secure access across your environments.

You must only create one SSO client per environment (e.g., production, integration).

Add configuration

To add an SSO client configuration:

  1. Go to Admin > SSO clients.

  2. Click Add.

  3. Choose your desired Environment in the dropdown menu. You must only create one SSO client per environment (e.g., production, integration).

  4. Click Enabled.

  5. If desired, add redirect URLs.

  6. Add the allowed CORS origins.

    CORS restrictions

    Web origins must be listed in the SSO client configuration to allow cross-origin requests.

    If your Magnolia instance is hosted at https://example-magnolia.com and you have a front-end app at https://frontend-app.com, you might configure the following web origins in the SSO client (e.g., in Keycloak):

    • https://example-magnolia.com

    • https://frontend-app.com

    This ensures both domains can participate in the SSO authentication flow without being blocked by CORS restrictions.

  7. Add the Base URL.

    The default URL to use when the auth server needs to redirect or link back to the client.

  8. Add any Magnolia roles you want mapped in the SSO module.

  9. Click Add.

    sso client details

Magnolia SSO Config

Once you have configured your SSO client:

  1. Go to your SSO client configuration in the SSO Client Config table.

  2. Click the three bars .

  3. Click Magnolia SSO Config to get your full Magnolia SSO module .yaml configuration. You can copy and paste the configuration directly into your SSO module. For detailed information on SSO module configuration, see Magnolia SSO module: Configuration.

    callbackUrl: "/.auth"
authorizationGenerators:
- name: "groupsAuthorization"
  groups:
    targetProperty: "groups"
    mappings:
    - name: "/admincentral"
      targetGroups:
      - "publishers"
      targetRoles:
      - "superuser"
    - name: "/power-editor"
      targetGroups:
      - "publishers"
      targetRoles:
      - "superuser"
clients:
  oidc.id: "magnolia-sso-integration"
  oidc.secret: "OIDC_SECRET"
  oidc.clientAuthenticationMethod: "client_secret_basic"
  oidc.scope: "openid profile email"
  oidc.discoveryUri: "https://id.int.example.com/realms/mplatform/.well-known/openid-configuration"
  oidc.preferredJwsAlgorithm: "RS256"
  oidc.authorizationGenerators: "groupsAuthorization"
  oidc.callbackUrl: "/.auth"
  oidc.postLogoutRedirectUri: "http://localhost:8080"
  http.bearer.id: "magnolia-sso-integration"
  http.bearer.secret: "OIDC_SECRET"
  http.bearer.clientAuthenticationMethod: "client_secret_basic"
  http.bearer.scope: "openid profile email"
  http.bearer.discoveryUri: "https://id.int.example.com/realms/mplatform/.well-known/openid-configuration"
  http.bearer.preferredJwsAlgorithm: "RS256"
  http.bearer.authorizationGenerators: "groupsAuthorization"
  http.bearer.authenticator: "oidc-userinfo"
userFieldMappings:
  name: "name"
  removeEmailDomainFromUserName: false
  removeSpecialCharactersFromUserName: false
  email: "email"
  language: "locale"
    sso client sso config
Feedback

PaaS

×

Location

This widget lets you know where you are on the docs site.

You are currently perusing through the Magnolia PaaS docs.

Main doc sections

DX Core Headless PaaS Legacy Cloud Incubator modules