Identity and access management (IAM)

Magnolia security is based on Java Authentication and Authorization Service (JAAS).

JAAS provides a standardized way for:

The system always checks whether a certain user has the required (set of) permissions to access a certain resource such as a web page, document, template or some other type of data. Permissions such as Access Control Lists (ACLs) are assigned to user roles. The roles can be assigned to groups or directly to the users. Finally, users can be assigned to a group.

For more details, refer to:

Use the Magnolia Security app to administer users groups, and roles with ACLs that Magnolia provides. By default, the app stores the user, group and role data in the users, usergroups, and userroles JCR workspaces.

Magnolia also provides connectors to integrate with third-party systems.

CAS module enables Central Authentication Service (CAS) in Magnolia. CAS is a single sign-on (SSO) Web protocol that permits a user to log in once to a system and then automatically gain access to all related systems to which they have been granted permission as per their credentials. This avoids the need to log into each system individually. The Magnolia CAS module handles authentication only. When a user logs into CAS, the system authenticates their identity to participating services because the user has been authenticated to CAS.

LDAP Connector module is a JAAS login module that connects to any LDAP v3 directory service. The LDAP Connector is used in intranet environments where an enterprise user management infrastructure already exists. With JAAS you can meet single sign-on requirements or connect to legacy LDAP servers.

As Magnolia is already capable of full-fledged security, the intent is to only replace the authentication mechanism. A user on a third-party system with roles and groups is mapped to the equivalent Magnolia user roles and groups.