Details
-
Improvement
-
Resolution: Fixed
-
Neutral
-
None
-
None
-
None
-
None
Description
We found misleading configuration indications and found the problem as follows.
In the chapter https://docs.magnolia-cms.com/magnolia-sso/3.1.0/index.html#_prerequisites where the configuration of the Group Membership mapper is Keycloak, it is indicated to keep the Full group path flag ON (in the screenshot).
With this setting, Magnolia module will not receive group name (e.g. "magnolia-sre") but the group path i.e. ("/magnolia-sre").
Hence the mapping suggested in yaml config (at the point 5 ) will not match.
Should change "magnolia-sre" in "/magnolia-sre" ....or alternatively maintain "magnolia-sre" but disable the "Full group path" flag in Keycloack.
{{path: /.magnolia/admincentral
callbackUrl: http://localhost:8080/.auth
postLogoutRedirectUri: http://localhost:8080/.magnolia/admincentral
authorizationGenerators:
- name: groupsAuthorization
groups:
mappings:
- name: /magnolia-sre
targetGroups:
- publishers
targetRoles:
- ...}}