SSO Login Extension module


Incubator (services)





Compatible with latest version of Magnolia.

The SSO Login Extension module provides provides JCR and SSO authentication.

This module is at the INCUBATOR level.

Installing with Maven

Maven is the easiest way to install the module. Add the following to your bundle:



JAAS configuration

Your jaas.config file should look like so:

sso-authentication {
  info.magnolia.sso.jaas.SsoAuthenticationModule requisite;
  info.magnolia.jaas.sp.jcr.JCRAuthorizationModule required;

magnolia {
  // ensure user is who he claims he is (check pwd for the user)
  info.magnolia.jaas.sp.jcr.JCRAuthenticationModule requisite;
  // retrieve users ACLs
  info.magnolia.jaas.sp.jcr.JCRAuthorizationModule required;

URL configuration

By default, to log in using jcr, you will have to point your browser to /.magnolia/jcrlogin, this value can be changed in the configuration using decorations, the value is set in the property jcrLoginUrl, you can set the new URL value in that property. Otherwise /.magnolia/jcrlogin is used as default.

This property can be created via JCR or by decorating the configuration following these instructions.


The SSO login extension module enables you to log in with SSO or use a URL to log in using JCR authentication.

The default is SSO unless you access the URL specified in the module configuration.

Configuring Multiple Paths

By default, the Magnolia SSO module allows only one fixed path to be protected in the configuration. Especially on public instances, it may be necessary to protect more than one path, depending on the user group you want to support (such as customers or vendors). To work around the single-path limitation, you can add one or more security callback filters using the info.magnolia.sso.login.extension.filter.securitycallback.MultiPathRedirectCallback filter class.

Define the filter at /server/filters/securityCallback/clientCallbacks.

Path parameters

You can use the path property to specify the path to protect.

If the path property is missing or invalid (such as "/"), the filter attempts to use the path defined in config.yaml file of your Magnolia SSO module configuration.

Example configuration for travel demo site

Default filter settings

You can use the default filter settings, such as the originalUrlPattern settings, to match the protected path. In addition, you can use filter configurations such as hostPattern, which allows you to configure the host to which the configuration should be applied.

In the example below, the host is taken into account when the protected path is checked. This means that the protected path setting would only be applied to the host.

Example configuration for travel demo filter settings

See for more filtering options.

Order of Client Callbacks

The order of the filter settings is critical.

The configurations for the multi path filter must come before the extended login filter (enabling login with /.magnolia/jcrlogin). However, local logins will work in addition to the paths you define with the multi-path filter.

Additional examples

There are no configurations applied by default, but there are two sample client callback configuration files you can check out in the src/main/resources/samples directory of the SSO Login Extension module repository.


To fully uninstall the module follow this steps:

  1. Your jaas.config file should look like so:

    sso-authentication {
      info.magnolia.sso.jaas.SsoAuthenticationModule requisite;
      info.magnolia.jaas.sp.jcr.JCRAuthorizationModule required;
  2. Configuration should be reverted to this:

    Since it is a change in the configuration of the login, you will need to use a groovy script or do it in rescue mode.

    /server/filters/login/class = info.magnolia.sso.SsoLoginFilter
    /server/filters/securityCallback/clientCallbacks/magnolia-sso/class = info.magnolia.sso.UserInitiatedRedirectClientCallback
  3. Remove the following dependency from your project:



Version Notes


Improvement multiple path protection.


Improvement for Basic auth support.


Initial release of the module.





This widget lets you know where you are on the docs site.

You are currently perusing through the SSO Login Extension module docs.

Main doc sections

DX Core Headless PaaS Legacy Cloud Incubator modules