[MGNLSSO-277] Support SSO for specific domains Created: 27/Apr/23  Updated: 22/Nov/23

Status: Open
Project: Single Sign On
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Neutral
Reporter: Minh Nguyen Assignee: Unassigned
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: PNG File image-2023-04-27-10-29-14-801.png    
Issue Links:
Relates
relates to MGNLSSO-307 SSO module should support multiple do... Open
causality
duplicate
duplicates MGNLSSO-35 Allow Magnolia to be used as pac4j mi... Closed
Template:
Acceptance criteria:
Empty
Task DoD:
[ ]* Doc/release notes changes? Comment present?
[ ]* Downstream builds green?
[ ]* Solution information and context easily available?
[ ]* Tests
[ ]* FixVersion filled and not yet released
[ ]  Architecture Decision Record (ADR)
Date of First Response:

 Description   

We need to provide SSO config to configure domains-matching along with current path-matching.
The current config of SSO only supports path-matching causing multisite domain can't be applied for SSO.

Example:
SSO Config:

path: /partner-portal
callbackUrl: !env ${MAGNOLIA_PARTNER_SSO_CALLBACK_BASE_URL}/.auth
postLogoutRedirectUri: !env ${MAGNOLIA_PARTNER_SSO_CALLBACK_BASE_URL}
authorizationGenerators:
  - name: fixedRoleAuthorization
    fixed:
      targetRoles:
        - partner
        - partner-extranet
  - name: groupsAuthorization # not any longer the fixedRoleAuthorization!
    groups:
      mappings:
        - name: magnolia-superusers # magnolia-superusers group in Okta
          targetRoles:
            - superuser
            - rest-admin
clients:
  oidc.id: !env ${MAGNOLIA_PARTNER_SSO_OIDCID}
  oidc.secret: !env ${MAGNOLIA_PARTNER_SSO_OIDCSECRET}
  oidc.clientAuthenticationMethod: client_secret_post
  oidc.scope: openid profile email groups
  oidc.discoveryUri: !env ${MAGNOLIA_PARTNER_SSO_DISCOVERY_URL}
  oidc.preferredJwsAlgorithm: RS256
  oidc.authorizationGenerators: fixedRoleAuthorization

userFieldMappings:
  name: name
  removeEmailDomainFromUserName: true
  removeSpecialCharactersFromUserName: false
  fullName: name
  email: email
  language: locale

Multisite config:
https://author.prod.corp-webpre.magnolia-platform.com/.magnolia/admincentral#app:definitions-app:overview;modules~multisite~sites~partner-portal::

If we hit, https://www.magnolia-cms.com/partner-portal => it's working properly
If we hit, https://partnerportal.magnolia-cms.com => SSO won't work.

Use-case: https://jira.magnolia-cms.com/browse/PTNRPRTL-40
We need to provide SSO for public instances under path /partner-portal, not author and in multisite domain

Thank you so much.


Generated at Mon Feb 12 10:52:44 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.