Uploaded image for project: 'Single Sign On'
  1. Single Sign On
  2. MGNLSSO-96

Non-interactive SSO access to REST endpoints

    XMLWordPrintable

Details

    • Task
    • Resolution: Done
    • Major
    • 3.0.0
    • None
    • None
    • None
    • Yes
    • Yes
    • AdminX 9, AdminX 10, AdminX 11
    • 8

    Description

      Investigate allowing a 3rd party system (like a node or java server) to make an authenticated REST request to Magnolia based on user/credentials managed in an IdP.

      See if we can get it to work, and document how it works.
      (Not product docs at this point, just internal tech notes.)

       Key requirement: SSO for REST Endpoints. Authenticated requests to Magnolia endpoints based on user in IdP / SSO.

      It should be just one "technical user" that is in their IdP system. (This user would be used to hit the Magnolia endpoints.)

      Security dept. at a customer has general rule that all users and auth info should be in their one IdP. Makes sense.

       Key problem: Getting a redirection to SSO login screen when trying to hit the endpoint. (Basically the same as when any unauthenticated person tries to login, they get redirected to SSO login screen.) They just want to be able to supply token in header in the request to the REST endpoint.

      Using Basic Auth now. Works but security team are not satisfied. Need something more secure.

      "Technical User" in their Idp.. (uses Groups in Magnolia)

       

      Basic wished Flow: (roughly described, details might be incorrect!)

      • 3rd party system hits db-web-sso/F5/IdP service to login and get a JWT token.
      • 3rd party system hits Magnolia enpdoint with token in header.
      • Magnolia authenticates and authorizes the request, likely invoking the IdP's token introspection endpoint; then executes endpoint with appropriate permissions.

      More information and context:
      https://wiki.magnolia-cms.com/display/TH2/Plan+for+SSO+API

       

      Checklists

        Acceptance criteria

        Attachments

          Issue Links

            There are no Sub-Tasks for this issue.

            Activity

              People

                nguyen.phung Nguyen Phung Chi
                czimmermann Christopher Zimmermann
                AdminX
                Votes:
                1 Vote for this issue
                Watchers:
                12 Start watching this issue

                Dates

                  Created:
                  Updated:
                  Resolved:

                  Checklists

                    Task DoR

                    Time Tracking

                      Estimated:
                      Original Estimate - Not Specified
                      Not Specified
                      Remaining:
                      Remaining Estimate - Not Specified
                      Not Specified
                      Logged:
                      Time Spent - 25d 7.5h
                      25d 7.5h