Page tree
Skip to end of metadata
Go to start of metadata

The Single Sign On (SSO) module provides a configuration interface for OpenID Connect Services 2.0.

Configuration

accessTokenEndpoint

required, optional if no apiClass is specified

The URL from where the access token is fetched in the background after the user has logged in and the authorization code has been send to Magnolia.

Example: https://keycloakhost:port/auth/realms/your-realm-name/protocol/openid-connect/token

accessTokenExtractor

optional, default is com.github.scribejava.apis.openid.OpenIdJsonTokenExtractor

This can be used if you need a specific Java class to parse the access token from an authentication service result. Mostly a specific parser is needed when working with the OpenID Connect protocol.

additionalParameters

optional

Flexible parameter configuration for services that allow more than the standard set. Create as many properties off this node as are needed.

apiClass

optional , default is info.magnolia.connector.sso.oic.service.GenericOICApi

Implementation of the OAuth protocol, version 2.0. You must implement your own class if you want to use something vendor specific.

authorizationBaseUrl

required

Base URL where Magnolia is redirected for login. Before redirecting to the chosen service, more parameters are attached to this URL, such as, clientId, scope, etc. To provide a more customized URL for redirection, you have to implement your own class.

Example: https://keycloakhost:port/auth/realms/your-realm-name/protocol/openid-connect/auth

arrayName

optional

Setting specific to Xing. Some authentication services deliver the final user data as a JSON array. In such cases, we need to specify the name of the first element in the array to fetch the result.

Examples: users (Xing), data (Instagram)

callbackParam

optional

Parameters to be passed to the callback handler.

callbackURL

required

The URL the service provider must call back after a successful login. Most of the service providers allow more than one callback URL for one application. Make sure you configured correctly the URL where your Magnolia instance is located. Otherwise the redirect will fail for security reasons.

At least in OAuth 2.x services, 1.x is sometimes less secure because it just uses the URL for callback you specified in the parameter send to the authentication provider.

Example: https://localhost:8080/magnoliaPublic/.auth

clientId

required

ID of your application at the service provider.

clientSecret

required

Used to get the final access token from the authentication server. The clientSecret value is passed in the authorization header to the authentication server (so it is not contained in a URL as parameter). The connection is directly handled from server to server, no browser or redirecting involved.

externalGroupsManagement

optional, default is false

(warning) Added in v2.1

Flag to enable dynamic group resolution. Used together with externalGroupsPropertyName.

externalGroupsPropertyName

optional, default is usergroups

(warning) Added in v2.1

The name of the property which holds the group name(s) to be matched with existing groups in Magnolia. This property can support multiple group names delimited with a comma.

Be sure to create matching group name(s) through the Security app

fieldMappings

optional

Maps user field attributes to the names provided by the service. This is a configuration node which should contain properties associating the key-value pairs through the property name and value respectively.

openIdAccessTokenAttributeName

required

Client apps receive the user’s identity encoded in a secure JSON Web Token (JWT), called an ID token. The value here will determine the name of that token.

openIdEnabled

optional, required if you use OpenID Connect

If you use the OpenID Connect protocol this property has to be there with the value set to true.

openIdIssuer

optional, required if you use OpenID Connect

OpenID Provider Issuer location.

Example: https://keycloakhost:port/auth/realms/your-realm-name/

openIdWebKeySet

optional, setting specific to OpenID Connect

Here you can store the content of the certificates in this property so requests to the web can be avoided.

openIdWebKeyUrl

optional

The URL where the keys for OpenID Connect are stored, please read the documentation of your authentication service provider.

Example: https://keycloakhost:port/auth/realms/magnolia/protocol/openid-connect/certs

scope

required

One or more attributes describing the kind of data the remote API can deliver. The standard service templates already provide scope value for the available services. Please read the API documentation of your service provider for more details.

securityGroups

optional, only when matching defaultSecurityGroups exist

The groups to be assigned to the user account after successful login. Multiple groups can be assigned as CSV.

For production use it is recommend that you use this property instead of the defaultSecurityGroups property because mutliple SSO Connector services can be used for different purposes within a Magnolia instance.

securityRoles

optionalonly when matching defaultSecurityRoles exist

The roles to be assigned to the user account after successful login. Multiple roles can be assigned as CSV.

For production use it is recommend that you use this property instead of the defaultSecurityRoles property because multiple SSO Connector services can be used for different purposes within a Magnolia instance.

userInfoURL

required

The URL of the protected resource where user data are queried from using the previously acquired access token. The result is expected in JSON format.

Example: https://keycloakhost:port/auth/realms/magnolia/protocol/openid-connect/userInfo

  • No labels