SSO in Magnolia PaaS

The instructions on this page focus primarily on the Keycloak side of things to ensure a successful implementation of SSO in PaaS.

For more information on installing and configuring the SSO Module and securing Magnolia Admincentral Access, check out the SSO module documentation.


The Magnolia SSO (single sign-on) module delegates authentication from a Magnolia instance to an OpenID Connect identity and access management application. The current iteration of the module has been successfully tested with open source Keycloak and cloud identity management software Okta, but all providers that follow the protocol should also be supported.

As Magnolia is already capable of full-fledged security, the intent is to only replace the authentication mechanism. A user on a third-party system with roles and groups is mapped to the equivalent Magnolia user roles and groups.

Keycloak settings for SSO

To integrate an external IDP / Directory Service for Single-Sign-On (SSO) with PaaS, it’s possible to setup a connection via SAML or OpenID Connect (OIDC).

Example: Azure AD Integration with Keycloak via OpenID Connect (OIDC)

As OIDC is the preferred way, the following instructions explain the basic Integration steps for Keycloak and Azure AD via OIDC authentication (OAuth2 for authorization). To integrate an existing Azure AD with Keycloak via OIDC, the following steps are required to be performed (ordered). All Azure Actions are performed via Microsoft Azure portal.

An Azure AD Premium P1/P2 subscription is required to map AppRoles to Users/Groups in Azure later.

Basic setup

  • Azure

  • Keycloak

  1. Create Enterprise Application and Share ApplicationID (ie. 1978A428-FY151-4EDA-AA40-FB18DCB7F482)


  2. Create SecretSecurely(!) and share the new Secret Value.

    Azure CreateSecret

  3. In Overview > Endpoints, copy and share the OpenID Metadata Document URL of the new Application to be entered in Keycloak.

    Azure EndpointWellKnown

    .well-known metadocument Format<app-uuid>/v2.0/.well-known/openid-configuration.
  1. In <customer> > Identity Providers, create a new IDP using the information from above:

    Fetch OIDC Metadata Document to "autofill" basic Information

    Keycloak CreateIDP 1

    Keycloak CreateIDP 2

  2. ClientID → Enter Azure App ApplicationID

  3. ClientSecret → Enter Azure App Secret Value.

    Keycloak EnterInfo

  4. Perform a basic Test on Realm ID.

    See the URL format<customer>/account/#/.
  5. Prepare RoleMapping (Map OpenID "roles" to exisiting keycloak roles).

App mapping

  • Azure

  • Keycloak

  1. Ensure Enterprise Application has the RedirectURI set → (format link:<customer>/broker/oidc/endpoint).

    Azure SetRedirectURI

    Create multiple RedirectURIs, ie. for production usage AND local testing.
  2. Now create your desired AppRole (ie. Magnolia, Cockpit, Rancher).

  3. In AppRole, set up OIDC Token Claim to be matched by Keycloak (Value = Claim Value in Keycloak).

    02 EnterClaimInformation

  4. Map the AppRole to existing Users/Groups in AzureAD.

    04 AssignUGinApp

  5. Verify the User/Group has the AppRole and they can use AppRegistration.

    06 VerifyGroupInApp

    07 EnsureAppRegistration

In <customer> > Identity Providers > Mappers map Claim Value (set prior in Azure AppRole) of OIDC Token Claim roles to existing Role in Keycloak IDP

Keycloak RoleMapping

As Naming and the IDP structure of group/user/role assignments could be handled very free and open, it’s important for SSO to align and match on certain role assignments additions to control granular access privileges.

The following default values can be used to prepare an IDP for onboarding with Magnolia Keycloak:

Claim-Value/Role Type Description



Rancher Admin Access (all Clusters)


PaaS Cockpit

Cockpit Admin Access (all functions)


Magnolia Admincentral SSO

Magnolia Author Superuser Access


Magnolia Publisher SSO

Magnolia Author Publisher Access

Repeat the steps of App mapping per Application you want to integrate.

For more information on installing and configuring the SSO Module and securing Magnolia Admincentral Access, check out the SSO module documentation.

Further reading




This widget lets you know where you are on the docs site.

You are currently perusing through the Magnolia PaaS docs.

Main doc sections

DX Core Headless PaaS Legacy Cloud Incubator modules