Goal

SSO 4.0.0 module intends to replace and, over time, render sso-login-extension incubator module unnecessary. Therefore, customers will need to move from using sso-login-extension incubator to SSO 4.0.0.

Because of the different way sso-login-extension and SSO 4.0.0 work when protecting URLs  by login (i.e. public URLs for public users for “member-only sections”), additional configuration changes are needed to re-create the effect of the sso-login-extension module with SSO 4.0.0.

A good way of covering this topic would be a simple "How to" article, describing the differences in the way both modules work and provide steps to migrate / transform configuration from one module to the other.

Doc updates

• Add warning to 63 RN
• Add warning to 4.0 changelog
• Point to Teresa's doc https://docs.magnolia-cms.com/sso-login-extension/#_uninstalling
• Get a groovy script from Evzen to complement it (change of two or three properties)
• Info: SSO 4.0 is not compatible with the SSO Login Extension module (incubator). If you install 6.3 and use the SSO Login Extension module and want to use the (unbundled) SSO module, you must remove the SSO Login Extension module (incubator) before adding or upgrading to SSO module 4.0.

What customer needs to do

Steps to complete, in this order:

1. Uninstall the sso-login-extension module
2. Remove its configuration (Could be done via Groovy script)
3. Install the SSO 4.0.x module 
4. Reconfigure the SSO 4.0.x module to achieve the same behaviour as previously with sso-login-extension

Configuration changes needed

• sso-login-extension incubator uses JCR configuration to define paths to be protected by login. However SSO 4.0.0 module uses roles that deny access to a specific part of the site, effectively protecting them by login.