-
New Feature
-
Resolution: Fixed
-
Neutral
-
2.0
-
None
-
-
Empty show more show less
-
Yes
-
Yes
-
AdminX 37, AdminX 47
Goal & problem statement
Plenty of customers report a problem that once they enable the SSO module on their Magnolia installations, they cannot login to their instance if the IdP provider used by SSO becomes temporarily unavailable. All users get completely locked out of the instance, so if there's an urgent need to access the AdminCentral for whatever reason, this is not possible until the IdP is available again.
Let's solve this problem.
Original request from luke.trueman:
Customers want to have a backup way to get access into the instance with jcr auth, they don't want to rely 100% on external identity provider. They also want to use SSO but not every user is in their SSO, e.g. an SEO agency may need access etc so having the Magnolia users available would be beneficial.
I know we offer a workaround using a mock docker server/node server, but this doesn't always cover the use case.Â
Potential approach
lfischer suggests to solve this using multiple login handlers, which allow to use custom IdP provider AND local users at the same time, where local users are configured on the Magnolia instance and serve as a backup login possibility for situations when the IdP used for SSO is not available.Â
He already prepared a repo containing support for multiple login handlers: https://git.magnolia-cms.com/users/lfischer/repos/magnolia-sso-extended/browseÂ
Documentation: https://git.magnolia-cms.com/users/lfischer/repos/magnolia-sso-extended/browse/_extended_docsÂ
The suggested approach would be to enable support of multiple login handlers (i.e. a custom IdP AND local users) if the customer decides to enable this for emergency situations. This feature could be made part of the core MGNLSSO module.
Discovery
We can follow the approach above to enable the default login and SSO login at the same time for SSO v2. In addition, we can introduce a configurable way to enable or disable the default login.Â
For SSO v3, it might need to verify with the SaaS, but the same approach still can be applied.
UPDATE 23.11.2022: Additional idea by lfischer on how to solve this is available in the sso-extended docs: https://git.magnolia-cms.com/users/lfischer/repos/magnolia-sso-extended/browse/_extended_docs
- depends upon
-
MAGNOLIA-9200 Add the renewSession and logout functionality to LoginHandler and support LoginHandlers for LogoutFilter
- Closed
- is duplicated by
-
MGNLSSO-266 Multi type login - SSO or Form Login
- Closed
-
MGNLSSO-106 Multiple login handlers
- Closed
-
MGNLSSO-284 SSO/JCR Login filter combined
- Closed
-
MGNLSSO-285 Multiple login modules
- Closed
-
MGNLSSO-297 Turn off SSO
- Closed
- is related to
-
MGNLSSO-207 Validate that Pac4j can work with multi-client configuration
- Closed
- relates to
-
MGNLSSO-320 Introduce a new SsoLoginHandler for delegating requests to Pac4j
- Closed
- to be documented by
-
MGNLSSO-331 DOC: How to use default Magnolia login as well as SSO login
- Closed
1.
|
DOC: Multiple login handlers | Closed | Julie Legendre |