Page tree
Skip to end of metadata
Go to start of metadata

The Single Sign On module can be used for Magnolia admincentral login. This is similar to using LDAP or Active Directory. By using an external login service, Magnolia doesn't have to care about the specific authentication process at all. Login can be completely handled by the service that is configured to be used. For example, for additional security the external authentication service could use a two-factor authentication before a user can be successfully authorized.

Prerequisites

In order to setup the admincentral login with Keycloak server:

Installation

For this example Keycloak will be used as an authentication service using the OpenID Connect protocol. The installation will have two parts. First the Keycloak setup and then the Magnolia configuration.

Keycloak

  1. Create a superuser account.
  2. Create a new Client.
  3. Make note of the Secret for the new Client ID on the Credentials tab.
  4. Create an openIdToken in the Mappers tab.

Magnolia

  1. Be sure to have your jaas.config setup for sso authentication.
  2. Define the service using the appropriate properties here: /modules/sso-connector/config/authenticationServices

    Here is an export of this configuration .

  3. Configure the filter and login handler here: /server/filters/login


  4. Define the security callback here: /server/filters/securityCallback/clientCallbacks

    This is a very sensitive configuration since the order of the callback nodes has meaning

Testing Configuration

  1. Using a different browser access: http://magnoliahost:port/context/.magnolia/admincentral

    Stay logged into the browser you are using for setup in case something is wrong with the configuration. Test login in a separate browser.

  2. You should be redirected to Keycloak login.
  3. Authenticate using the superuser credentials.
  4. You should now be logged into admincentral with the superuser account provided by the Keycloak server.

2 Comments

  1. According to Lars Fischer, this should work without the Client Adapter!

    1. Perhaps, Lars does have the ability to update this doc if he'd like to. I simply followed the instructions here: https://www.keycloak.org/docs/3.4/getting_started/index.html#securing-a-jboss-servlet-application