SSO in DX Cloud

The instructions on this page focus primarily on the required steps to integrate into our Identity Platform (IdP) based on Keycloak, which gives you access to our DX Cloud Service via SSO.

Please note that we offer this IdP Integration to access our DX Cloud Service via SSO. If you have your own IdP, we recommended to use it on SSO module to access and secure the Magnolia AdminCentral. In that case, you must configure the IdP settings on your own.

Overview

The Magnolia SSO (single sign-on) module delegates authentication from a Magnolia instance to an OpenID Connect identity and access management application. The current iteration of the module has been successfully tested with open source Keycloak and cloud identity management software Okta, but all providers that follow the protocol should also be supported.

As Magnolia is already capable of full-fledged security, the intent is to only replace the authentication mechanism. A user on a third-party system with roles and groups is mapped to the equivalent Magnolia user roles and groups.

Keycloak settings for SSO

To integrate an external IdP Directory Service for Single-Sign-On (SSO) with DX Cloud, it’s possible to setup a connection via SAML or OpenID Connect (OIDC).

Example: Azure AD Integration with Keycloak via OpenID Connect (OIDC)

As OIDC is the preferred way, the following instructions explain the basic Integration steps for Keycloak and Azure AD via OIDC authentication (OAuth2 for authorization). To integrate an existing Azure AD with Keycloak via OIDC, the following steps are required to be performed (ordered). All Azure Actions are performed via Microsoft Azure portal.

An Azure AD Premium P1/P2 subscription is required to map AppRoles to Users/Groups in Azure later.

Basic setup

  • Azure

  • Keycloak

To integrate your Azure AD with Keycloak using OIDC, we’ll need the following information to be securely(!) shared with Magnolia:

  • Client ID (Application ID)

  • Client Secret (Application Secret Secret Value)

  • Well-Known URL (OpenID Metadata Document URL including all necessary information)

  1. Create an Enterprise Application and copy the ApplicationID (ie. 1978A428-FY151-444B-AA32-GB18DCB7F482)

    Azure createApp

    Azure AppID

  2. Navigate to App Registrations and find your recently created application and open it.

    Azure AppRegistration

  3. In Manage > Certificates & Secrets, create a Client Secret and copy down the new Secret Value (Secret ID is not required).

    Azure CreateAppRegSecret

    Azure CopyAppRegSecret

  4. In App Registrations on the newly created app, open Overview > Endpoints and note the OpenID Metadata Document URL of the new Application.

    Azure WellKnownDocument

    .well-known Metadata document is publicly available and typically follows this format https://login.microsoftonline.com/<app-uuid>/v2.0/.well-known/openid-configuration.
  5. Finally, in the Authentication section of the App Registration, add the Magnolia Keycloak URLs as valid redirect URIs (Platform Web). Please enter them in the following format (replace <customer> with your customer shortname):

  1. In the <customer> realm under Identity Providers, create a new IdP Integration using the information received before.

    • Client ID (Application ID)

    • Client Secret (Application Secret Secret Value)

    • Well-Known URL (OpenID Metadata Document URL including all necessary information)

      Fetch OIDC metadata to "autofill" basic Information

      Keycloak CreateIDP 1

      Keycloak CreateIDP 2

  2. For the ClientID, enter the Azure App’s ApplicationID.

  3. For the ClientSecret, enter Azure App’s Secret Value.

    Keycloak EnterInfo

  4. Perform a basic Test on Realm ID.

    See the URL format https://id.eu-central.magnolia-platform.com/realms/<customer>/account/#/.
  5. Prepare RoleMapping (Map OpenID "roles" to existing keycloak roles).

App mapping

  • Azure

  • Keycloak

IdP naming and structure for groups/users/roles/assignments are flexibe, so it’s important for SSO to align and match on certain role assignments to control granular access privileges.

Aligning Claim-Value with the Role or Group name in both Keycloak and Azure AD helps to avoid any confusion or misconfiguration.

The following default values can be used as example to prepare an IdP for onboarding with DX Cloud Keycloak.

Claim-Value/Role Type Description

rancher.projectadmin

Rancher

Rancher Project Access (all Clusters)

cockpit.admin

DX Cloud Cockpit

Cockpit Admin Access (all functions)

cockpit.devops

DX Cloud Cockpit

Cockpit DevOps Access (Interact Magnolia Workload, Configuration, Certificates, Redirects, …​)

cockpit.business

DX Cloud Cockpit

Cockpit Business Access (Manage commercial aspects, Billing, …​)

cockpit.support

DX Cloud Cockpit

Cockpit Support Access (ReadOnly on Logs/Metrics and Support Functions)

cockpit.user-manager

DX Cloud Cockpit

Cockpit User-Management Access (Manage User Roles/Permissions, Enable/Disable Users, …​)

magnolia.superuser

Magnolia Admincentral SSO

Magnolia Author Superuser Access

magnolia.publisher

Magnolia Publisher SSO

Magnolia Author Publisher Access

…​

…​

…​

  1. In App Registrations of your app, create your desired AppRole (ie. Magnolia, Cockpit, Rancher) to be delivered as an OIDC Claim Value (Value = Claim Value in Keycloak).

    Azure AppRole

  2. In (Enterprise) Application, map the AppRole on a User and/or Group Level in Azure AD.

    Azure MapAppRole

  1. In <customer> > Identity Providers > Mappers, map Claim Value (set before in Azure as AppRole) of the OIDC Token Claim roles to the existing Role in Keycloak IdP.

    Keycloak RoleMapping

Repeat the steps of App mapping per Application you want to integrate. For more information on installing and configuring the SSO Module and securing Magnolia Admincentral Access, check out SSO module.

Feedback

PaaS

×

Location

This widget lets you know where you are on the docs site.

You are currently perusing through the Magnolia PaaS docs.

Main doc sections

DX Core Headless PaaS Legacy Cloud Incubator modules