[MGNLSSO-207] Validate that Pac4j can work with multi-client configuration Created: 29/Nov/22  Updated: 17/Jan/23  Resolved: 17/Jan/23

Status: Closed
Project: Single Sign On
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Task Priority: Neutral
Reporter: Matt Rajkovic Assignee: Nguyen Phung Chi
Resolution: Done Votes: 0
Labels: None
Σ Remaining Estimate: Not Specified Remaining Estimate: Not Specified
Σ Time Spent: Not Specified Time Spent: Not Specified
Σ Original Estimate: Not Specified Original Estimate: Not Specified

Issue Links:
relation
is related to MGNLSSO-84 Ability to use default Magnolia login... Selected
Sub-Tasks:
Key
Summary
Type
Status
Assignee
MGNLSSO-213 Investigate and try to config multipl... Sub-task Completed Nguyen Phung Chi  
Template:
Acceptance criteria:
Empty
Task DoR:
Empty
Date of First Response:
Epic Link: SSO support for custom IdPs
Sprint: AdminX 25, AdminX 26 Xmas & New year, AdminX 27
Story Points: 3
Team: AdminX
Work Started:

 Description   

Goal

  • Test if Pac4j can work with multi-client configuration as means to enable multiple login providers (e.g. LDAP, Azure at the same time) and fulfil https://jira.magnolia-cms.com/browse/MGNLSSO-84
  • If this works, we’ll add the local client with the same mechanism the the above ticket
  • If SAML "comes for free" as part of the implementation, great, but it's a nice-to-have, not really needed urgently 


 Comments   
Comment by Nguyen Phung Chi [ 17/Jan/23 ]

I've tried to configure the SSO module with two Oidc clients (both are Keycloak running locally with complete different setup and port).

So, there are 2 Oidc clients created in the Pac4j config, but it actually works as following:

  1. The request hit SsoLoginFilter and will be handle by Pac4j Security logic
  2. In the DefaultSecurityLogic#perform from Pac4j will find the clients by DefaultSecurityClientFinder, but it will return all clients in most of the time, unless we specify an force_client in the request parameter
  3. Then it will starts authentication with the first client ]found in the Clients list and redirect to the IdP login screen to handle the login (username/password matching). 

For reference, please have a look on the link above.

In summary, that means SSO module supports multiple clients config (also inspired and support from Pac4j), but in fact Pac4j always get the first indirect client to proceed.

Maybe I didn't find the way to make it works, but it shouldn't be so tricky (at least from Pac4j).

I think we need to dive in deeper to find out the possibility/solution to support the use case.

cc ccantalapiedra, mgeljic , efochr 

Generated at Mon Feb 12 10:52:06 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.