Page tree
Skip to end of metadata
Go to start of metadata

The Single Sign On (SSO) module provides a configuration interface for OpenID Connect Services 2.0.



required, optional if no apiClass is specified

The URL from where the access token is fetched in the background after the user has logged in and the authorization code has been send to Magnolia.

Example: https://keycloakhost:port/auth/realms/your-realm-name/protocol/openid-connect/token


optional, default is com.github.scribejava.apis.openid.OpenIdJsonTokenExtractor

This can be used if you need a specific Java class to parse the access token from an authentication service result. Mostly a specific parser is needed when working with the OpenID Connect protocol.



Flexible parameter configuration for services that allow more than the standard set. Create as many properties off this node as are needed.


optional , default is info.magnolia.connector.sso.oic.service.GenericOICApi

Implementation of the OAuth protocol, version 2.0. You must implement your own class if you want to use something vendor specific.



Base URL where Magnolia is redirected for login. Before redirecting to the chosen service, more parameters are attached to this URL, such as, clientId, scope, etc. To provide a more customized URL for redirection, you have to implement your own class.

Example: https://keycloakhost:port/auth/realms/your-realm-name/protocol/openid-connect/auth



Setting specific to Xing. Some authentication services deliver the final user data as a JSON array. In such cases, we need to specify the name of the first element in the array to fetch the result.

Examples: users (Xing), data (Instagram)



Parameters to be passed to the callback handler.



The URL the service provider must call back after a successful login. Most of the service providers allow more than one callback URL for one application. Make sure you configured correctly the URL where your Magnolia instance is located. Otherwise the redirect will fail for security reasons.

At least in OAuth 2.x services, 1.x is sometimes less secure because it just uses the URL for callback you specified in the parameter send to the authentication provider.

Example: https://localhost:8080/magnoliaPublic/.auth



ID of your application at the service provider.



Used to get the final access token from the authentication server. The clientSecret value is passed in the authorization header to the authentication server (so it is not contained in a URL as parameter). The connection is directly handled from server to server, no browser or redirecting involved.


optional, default is false

(warning) Added in v2.1

Flag to enable dynamic group resolution. Used together with externalGroupsPropertyName.


optional, default is usergroups

(warning) Added in v2.1

The name of the property which holds the group name(s) to be matched with existing groups in Magnolia. This property can support multiple group names delimited with a comma.

Be sure to create matching group name(s) through the Security app



Maps user field attributes to the names provided by the service. This is a configuration node which should contain properties associating the key-value pairs through the property name and value respectively.



Client apps receive the user’s identity encoded in a secure JSON Web Token (JWT), called an ID token. The value here will determine the name of that token.


optional, required if you use OpenID Connect

If you use the OpenID Connect protocol this property has to be there with the value set to true.


optional, required if you use OpenID Connect

OpenID Provider Issuer location.

Example: https://keycloakhost:port/auth/realms/your-realm-name/


optional, setting specific to OpenID Connect

Here you can store the content of the certificates in this property so requests to the web can be avoided.



The URL where the keys for OpenID Connect are stored, please read the documentation of your authentication service provider.

Example: https://keycloakhost:port/auth/realms/magnolia/protocol/openid-connect/certs



One or more attributes describing the kind of data the remote API can deliver. The standard service templates already provide scope value for the available services. Please read the API documentation of your service provider for more details.


optional, only when matching defaultSecurityGroups exist

The groups to be assigned to the user account after successful login. Multiple groups can be assigned as CSV.

For production use it is recommend that you use this property instead of the defaultSecurityGroups property because mutliple SSO Connector services can be used for different purposes within a Magnolia instance.


optionalonly when matching defaultSecurityRoles exist

The roles to be assigned to the user account after successful login. Multiple roles can be assigned as CSV.

For production use it is recommend that you use this property instead of the defaultSecurityRoles property because multiple SSO Connector services can be used for different purposes within a Magnolia instance.



The URL of the protected resource where user data are queried from using the previously acquired access token. The result is expected in JSON format.

Example: https://keycloakhost:port/auth/realms/magnolia/protocol/openid-connect/userInfo