Details
-
New Feature
-
Resolution: Unresolved
-
Medium
-
None
-
None
-
None
-
-
Empty show more show less
Description
Hello SSO Team,
our PaaS Client BLKB (Partner JLS) is looking for a solution to solve the following scenario:
- They want to secure their Intranet Page (www.blkb.ch/mitarbeiter) using the SSO Module, while still being able to access author and public admincentral in any way.
- They use magnolia-sso-3.0.0
- Issue is reproducible with a Login of any tested Keycloak User, so it's not an mapping Issue
The Workaround:
- Use two different SSO configs for Author/Publics (see below for the Public)
- Both have set the `defaultBaseURL` to "www.blkb.ch" to work with relative paths
- Author is working fine an and will redirect to "/.magnolia/admincentral" after login
- Public is also working as expected for the Intranet login "/mitarbeiter" but it's not possible to access any Public's Admincentral any more (even on IP level because of the redirect)
Bug?:
- Is a Bug preventing access? (check provided Screenshot here) or (as expected) is a redirect preventing Admincentral to get reached anyways
The ServiceRequest:
- Can we solve this issue by supporting more than one redirect URL or at least bypass SSO with some URLs based on the Config (`path: /mypath` AND `path: /.magnolia/admincentral`; instead of just one). Using local Users would be totally fine (ServiceRequest)
- Can we enable multiple Configs for different URL requests (split config on 'path:' level, ie. "/mitarbeiter" and "/xyz")?
- This would also allow to use different clients, even on Path Level
- Can we distinguish by different 'authorizationGenerators', as it already is a list and use GroupMatching to resolve the Request Routing after Authentication (an idea I'm not really convinced, but that would be an option too)
I know that using the SSO Module to secure a Intranet that way is not ideal or a supposed way, but do you see any other option to achieve this with the SSO Module currently?
Please get in touch with me on more details to find a solution.
Thank you!
Seb
From the original ticket:
Hello,
after we changed the config.yaml file for SSO like this we are not able anymore to access the https://www.blkb.ch/.magnolia/admincentral url, we just get a 401:
path: /mitarbeiter
callbackUrl: /.auth
postLogoutRedirectUri: /mitarbeiter
authorizationGenerators:
- name: groupsAuthorization
groups:
mappings:
- name: superuser
targetGroups:
- publishers
targetRoles:
- superuser
- name: publisher
targetGroups:
- publishers
targetRoles:
- publisher
- name: editor
targetGroups:
- editors
targetRoles:
- editor
- name: mitarbeiter
targetRoles:
- mitarbeiter
clients:
oidc.id: magnolia
oidc.secret: secret
oidc.scope: openid email profile
oidc.discoveryUri: https://id.magnolia-platform.com/auth/realms/blkb/.well-known/openid-configuration
oidc.preferredJwsAlgorithm: RS256
oidc.authorizationGenerators: groupsAuthorization
userFieldMappings:
name: email
removeEmailDomainFromUserName: true
removeSpecialCharactersFromUserName: false
fullName: name
email: email
language: locale
If we try to access the page https://www.blkb.ch/mitarbeiter we can see the login form, but once I’m loggedin with a superuser account, if I try to access the page https://www.blkb.ch/.magnolia/admincentral I have the error shown in the screenshot attached.
Can you please help me on that?
Tanks,
Luigi