SSO Login Extension module

Edition

Incubator (services)

Git

Git

Latest

1.0.4

Compatible with latest version of Magnolia.

The SSO Login Extension module provides provides JCR and SSO authentication.

This module is at the INCUBATOR level.

The SSO Login Extension module cannot be installed with Magnolia SSO module 4.0.0 and later. It must be uninstalled before you install the SSO module.

Installing with Maven

Maven is the easiest way to install the module. Add the following to your bundle:

<dependency>
  <groupId>info.magnolia.sso</groupId>
  <artifactId>sso-login-extension</artifactId>
  <version>1.0.4</version>
</dependency>

Configuration

JAAS configuration

Your jaas.config file should look like so:

sso-authentication {
  info.magnolia.sso.jaas.SsoAuthenticationModule requisite;
  info.magnolia.jaas.sp.jcr.JCRAuthorizationModule required;
};

magnolia {
  // ensure user is who he claims he is (check pwd for the user)
  info.magnolia.jaas.sp.jcr.JCRAuthenticationModule requisite;
  // retrieve users ACLs
  info.magnolia.jaas.sp.jcr.JCRAuthorizationModule required;
};

URL configuration

By default, to log in using jcr, you will have to point your browser to /.magnolia/jcrlogin, this value can be changed in the configuration using decorations, the value is set in the property jcrLoginUrl, you can set the new URL value in that property. Otherwise /.magnolia/jcrlogin is used as default.

This property can be created via JCR or by decorating the configuration following these instructions.

Usage

The SSO login extension module enables you to log in with SSO or use a URL to log in using JCR authentication.

The default is SSO unless you access the URL specified in the module configuration.

Configuring Multiple Paths

By default, the Magnolia SSO module allows only one fixed path to be protected in the configuration. Especially on public instances, it may be necessary to protect more than one path, depending on the user group you want to support (such as customers or vendors). To work around the single-path limitation, you can add one or more security callback filters using the info.magnolia.sso.login.extension.filter.securitycallback.MultiPathRedirectCallback filter class.

Define the filter at /server/filters/securityCallback/clientCallbacks.

Path parameters

You can use the path property to specify the path to protect.

If the path property is missing or invalid (such as "/"), the filter attempts to use the path defined in config.yaml file of your Magnolia SSO module configuration.

Example configuration for travel demo site

Default filter settings

You can use the default filter settings, such as the originalUrlPattern settings, to match the protected path. In addition, you can use filter configurations such as hostPattern, which allows you to configure the host to which the configuration should be applied.

In the example below, the host is taken into account when the protected path is checked. This means that the protected path setting would only be applied to the sso.gummibaer.org host.

Example configuration for travel demo filter settings

See info.magnolia.cms.security.auth.callback.AbstractHttpClientCallback for more filtering options.

Order of Client Callbacks

The order of the filter settings is critical.

The configurations for the multi path filter must come before the extended login filter (enabling login with /.magnolia/jcrlogin). However, local logins will work in addition to the paths you define with the multi-path filter.

Additional examples

There are no configurations applied by default, but there are two sample client callback configuration files you can check out in the src/main/resources/samples directory of the SSO Login Extension module repository.

Uninstalling

To fully uninstall the module:

  1. Edit your jaas.config file so that it looks like this:

    sso-authentication {
      info.magnolia.sso.jaas.SsoAuthenticationModule requisite;
      info.magnolia.jaas.sp.jcr.JCRAuthorizationModule required;
    };
  2. Revert your configuration to the following: Since it is a change in the configuration of the login, you need to use a groovy script or do it in rescue mode.

    /server/filters/login/class = info.magnolia.cms.security.auth.login.LoginFilter (1)
    /server/filters/securityCallback/clientCallbacks/magnolia-sso/class = info.magnolia.sso.UserInitiatedRedirectClientCallback
    1 If you’re already using the 4.x+ of the SSO module, this value has the info.magnolia.cms.security.auth.login.LoginFilter class. However, if you’re on version 3.x of the SSO module, you must manually set the class to info.magnolia.sso.SsoLoginFilter when uninstalling to ensure the logging process continues smoothly.
  1. Remove the following dependency from your project:

    <dependency>
      <groupId>info.magnolia.sso</groupId>
      <artifactId>sso-login-extension</artifactId>
      <version>1.0.4</version>
    </dependency>

Changelog

The SSO Login Extension module cannot be installed with Magnolia SSO module 4.0.0 and later. It must be uninstalled before you install the SSO module.
Version Notes

1.0.4

Improve check for anonymous user.

1.0.3

Disallow installation on newer versions, this module will be outdated.

1.0.2

Improvement multiple path protection.

1.0.1

Improvement for Basic auth support.

1.0

Initial release of the module.

Feedback

Incubators

×

Location

This widget lets you know where you are on the docs site.

You are currently perusing through the SSO Login Extension module docs.

Main doc sections

DX Core Headless PaaS Legacy Cloud Incubator modules