Uploaded image for project: 'Single Sign On'
  1. Single Sign On
  2. MGNLSSO-305

public admincentral on PROD not anymore accessible

    XMLWordPrintable

Details

    • New Feature
    • Resolution: Unresolved
    • Medium
    • None
    • None
    • None

    Description

      Hello SSO Team,

      our PaaS Client BLKB (Partner JLS) is looking for a solution to solve the following scenario:

      • They want to secure their Intranet Page (www.blkb.ch/mitarbeiter) using the SSO Module, while still being able to access author and public admincentral in any way.
      • They use magnolia-sso-3.0.0
      • Issue is reproducible with a Login of any tested Keycloak User, so it's not an mapping Issue

      The Workaround:

      • Use two different SSO configs for Author/Publics (see below for the Public)
      • Both have set the `defaultBaseURL` to "www.blkb.ch" to work with relative paths
      • Author is working fine an and will redirect to "/.magnolia/admincentral" after login
      • Public is also working as expected for the Intranet login "/mitarbeiter" but it's not possible to access any Public's Admincentral any more (even on IP level because of the redirect)

      Bug?:

      • Is a Bug preventing access? (check provided Screenshot here) or (as expected) is a redirect preventing Admincentral to get reached anyways

      The ServiceRequest:

      • Can we solve this issue by supporting more than one redirect URL or at least bypass SSO with some URLs based on the Config (`path: /mypath` AND `path: /.magnolia/admincentral`; instead of just one). Using local Users would be totally fine (ServiceRequest)
      • Can we enable multiple Configs for different URL requests (split config on 'path:' level, ie. "/mitarbeiter" and "/xyz")? 
        • This would also allow to use different clients, even on Path Level 
      • Can we distinguish by different 'authorizationGenerators', as it already is a list and use GroupMatching to resolve the Request Routing after Authentication (an idea I'm not really convinced, but that would be an option too) 

      I know that using the SSO Module to secure a Intranet that way is not ideal or a supposed way, but do you see any other option to achieve this with the SSO Module currently?

      Please get in touch with me on more details to find a solution.

      Thank you!
      Seb

       

       

      From the original ticket:


      Hello,

      after we changed the config.yaml file for SSO like this we are not able anymore to access the https://www.blkb.ch/.magnolia/admincentral url, we just get a 401:

      path: /mitarbeiter
      callbackUrl: /.auth
      postLogoutRedirectUri: /mitarbeiter
      authorizationGenerators:
        - name: groupsAuthorization
          groups:
            mappings:
              - name: superuser
                targetGroups:
                  - publishers
                targetRoles:
                  - superuser
              - name: publisher
                targetGroups:
                  - publishers
                targetRoles:
                  - publisher
              - name: editor
                targetGroups:
                  - editors
                targetRoles:
                  - editor
              - name: mitarbeiter
                targetRoles:
                  - mitarbeiter
      
      clients:
        oidc.id: magnolia
        oidc.secret: secret
        oidc.scope: openid email profile
        oidc.discoveryUri: https://id.magnolia-platform.com/auth/realms/blkb/.well-known/openid-configuration
        oidc.preferredJwsAlgorithm: RS256
        oidc.authorizationGenerators: groupsAuthorization
      
      userFieldMappings:
        name: email
        removeEmailDomainFromUserName: true
        removeSpecialCharactersFromUserName: false
        fullName: name
        email: email
        language: locale
      

      If we try to access the page https://www.blkb.ch/mitarbeiter we can see the login form, but once I’m loggedin with a superuser account, if I try to access the page https://www.blkb.ch/.magnolia/admincentral I have the error shown in the screenshot attached.

      Can you please help me on that?

      Tanks,

      Luigi

      Checklists

        Acceptance criteria

        Attachments

          Activity

            People

              Unassigned Unassigned
              sklingberg Sebastian Klingberg
              Votes:
              1 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated: