The Single Sign On module can be used for Magnolia admincentral login. This is similar to using LDAP or Active Directory. By using an external login service, Magnolia doesn't have to care about the specific authentication process at all. Login can be completely handled by the service that is configured to be used. For example, for additional security the external authentication service could use a two-factor authentication before a user can be successfully authorized.
In order to setup the admincentral login with Keycloak server:
- Download Keycloak here. In this example we use 3.4.3.
- Download the client adapter for OpenID Connect here.
- Install the client adapter.
For this example Keycloak will be used as an authentication service using the OpenID Connect protocol. The installation will have two parts. First the Keycloak setup and then the Magnolia configuration.
- Create a superuser account.
- Create a new Client.
- Make note of the Secret for the new Client ID on the Credentials tab.
- Create an
openIdTokenin the Mappers tab.
- Be sure to have your jaas.config setup for sso authentication.
- Define the service using the appropriate properties here:
- Configure the filter and login handler here:
Define the security callback here:
This is a very sensitive configuration since the order of the callback nodes has meaning
Using a different browser access: http://magnoliahost:port/context/.magnolia/admincentral
Stay logged into the browser you are using for setup in case something is wrong with the configuration. Test login in a separate browser.
- You should be redirected to Keycloak login.
- Authenticate using the superuser credentials.
- You should now be logged into admincentral with the superuser account provided by the Keycloak server.