Investigate allowing a 3rd party system (like a node or java server) to make an authenticated REST request to Magnolia based on user/credentials managed in an IdP.

See if we can get it to work, and document how it works.
(Not product docs at this point, just internal tech notes.)

 Key requirement: SSO for REST Endpoints. Authenticated requests to Magnolia endpoints based on user in IdP / SSO.

It should be just one "technical user" that is in their IdP system. (This user would be used to hit the Magnolia endpoints.)

Security dept. at a customer has general rule that all users and auth info should be in their one IdP. Makes sense.

 Key problem: Getting a redirection to SSO login screen when trying to hit the endpoint. (Basically the same as when any unauthenticated person tries to login, they get redirected to SSO login screen.) They just want to be able to supply token in header in the request to the REST endpoint.

Using Basic Auth now. Works but security team are not satisfied. Need something more secure.

"Technical User" in their Idp.. (uses Groups in Magnolia)

Basic wished Flow: (roughly described, details might be incorrect!)

• 3rd party system hits db-web-sso/F5/IdP service to login and get a JWT token.
• 3rd party system hits Magnolia enpdoint with token in header.
• Magnolia authenticates and authorizes the request, likely invoking the IdP's token introspection endpoint; then executes endpoint with appropriate permissions.

More information and context:
https://wiki.magnolia-cms.com/display/TH2/Plan+for+SSO+API