[MGNLSSO-305] public admincentral on PROD not anymore accessible Created: 01/Sep/23  Updated: 24/Nov/23

Status: Open
Project: Single Sign On
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: New Feature Priority: Medium
Reporter: Sebastian Klingberg Assignee: Unassigned
Resolution: Unresolved Votes: 1
Labels: LIVE
Remaining Estimate: 0d
Time Spent: Not Specified
Original Estimate: 0d

Issue Links:
Problem/Incident
relation
Template:
Acceptance criteria:
Empty

 Description   

Hello SSO Team,

our PaaS Client BLKB (Partner JLS) is looking for a solution to solve the following scenario:

  • They want to secure their Intranet Page (www.blkb.ch/mitarbeiter) using the SSO Module, while still being able to access author and public admincentral in any way.
  • They use magnolia-sso-3.0.0
  • Issue is reproducible with a Login of any tested Keycloak User, so it's not an mapping Issue

The Workaround:

  • Use two different SSO configs for Author/Publics (see below for the Public)
  • Both have set the `defaultBaseURL` to "www.blkb.ch" to work with relative paths
  • Author is working fine an and will redirect to "/.magnolia/admincentral" after login
  • Public is also working as expected for the Intranet login "/mitarbeiter" but it's not possible to access any Public's Admincentral any more (even on IP level because of the redirect)

Bug?:

  • Is a Bug preventing access? (check provided Screenshot here) or (as expected) is a redirect preventing Admincentral to get reached anyways

The ServiceRequest:

  • Can we solve this issue by supporting more than one redirect URL or at least bypass SSO with some URLs based on the Config (`path: /mypath` AND `path: /.magnolia/admincentral`; instead of just one). Using local Users would be totally fine (ServiceRequest)
  • Can we enable multiple Configs for different URL requests (split config on 'path:' level, ie. "/mitarbeiter" and "/xyz")? 
    • This would also allow to use different clients, even on Path Level 
  • Can we distinguish by different 'authorizationGenerators', as it already is a list and use GroupMatching to resolve the Request Routing after Authentication (an idea I'm not really convinced, but that would be an option too) 

I know that using the SSO Module to secure a Intranet that way is not ideal or a supposed way, but do you see any other option to achieve this with the SSO Module currently?

Please get in touch with me on more details to find a solution.

Thank you!
Seb

 

 

From the original ticket:


Hello,

after we changed the config.yaml file for SSO like this we are not able anymore to access the https://www.blkb.ch/.magnolia/admincentral url, we just get a 401:

path: /mitarbeiter
callbackUrl: /.auth
postLogoutRedirectUri: /mitarbeiter
authorizationGenerators:
  - name: groupsAuthorization
    groups:
      mappings:
        - name: superuser
          targetGroups:
            - publishers
          targetRoles:
            - superuser
        - name: publisher
          targetGroups:
            - publishers
          targetRoles:
            - publisher
        - name: editor
          targetGroups:
            - editors
          targetRoles:
            - editor
        - name: mitarbeiter
          targetRoles:
            - mitarbeiter

clients:
  oidc.id: magnolia
  oidc.secret: secret
  oidc.scope: openid email profile
  oidc.discoveryUri: https://id.magnolia-platform.com/auth/realms/blkb/.well-known/openid-configuration
  oidc.preferredJwsAlgorithm: RS256
  oidc.authorizationGenerators: groupsAuthorization

userFieldMappings:
  name: email
  removeEmailDomainFromUserName: true
  removeSpecialCharactersFromUserName: false
  fullName: name
  email: email
  language: locale

If we try to access the page https://www.blkb.ch/mitarbeiter we can see the login form, but once I’m loggedin with a superuser account, if I try to access the page https://www.blkb.ch/.magnolia/admincentral I have the error shown in the screenshot attached.

Can you please help me on that?

Tanks,

Luigi



 Comments   
Comment by Sebastian Klingberg [ 01/Sep/23 ]

DefaultBaseURL set to "http://www.blkb.ch/"

SSO Config Author Instance:

I have no name!@prod-magnolia-helm-author-0:/usr/local/tomcat$ cat /mgnl-home/modules/magnolia-sso/config.yaml
path: /.magnolia/admincentral
callbackUrl: /.auth
postLogoutRedirectUri: /.magnolia/admincentral
authorizationGenerators:
  - name: groupsAuthorization
    groups:
      mappings:
        - name: superuser
          targetGroups:
            - publishers
          targetRoles:
            - superuser
        - name: publisher
          targetGroups:
            - publishers
          targetRoles:
            - publisher
        - name: editor
          targetGroups:
            - editors
          targetRoles:
            - editor
        - name: mitarbeiter
          targetRoles:
            - mitarbeiter
clients:
  oidc.id: magnolia
  oidc.secret: *****
  oidc.scope: openid email profile
  oidc.discoveryUri: https://id.magnolia-platform.com/auth/realms/blkb/.well-known/openid-configuration
  oidc.preferredJwsAlgorithm: RS256
  oidc.authorizationGenerators: groupsAuthorization

userFieldMappings:
  name: email
  removeEmailDomainFromUserName: true
  removeSpecialCharactersFromUserName: false
  fullName: name
  email: email
  language: locale 

SSO Config Publics:

I have no name!@prod-magnolia-helm-public-0:/usr/local/tomcat$ cat /mgnl-home/modules/magnolia-sso/config.yaml
path: /mitarbeiter
callbackUrl: /.auth
postLogoutRedirectUri: /mitarbeiter
authorizationGenerators:
  - name: groupsAuthorization
    groups:
      mappings:
        - name: superuser
          targetGroups:
            - publishers
          targetRoles:
            - superuser
        - name: publisher
          targetGroups:
            - publishers
          targetRoles:
            - publisher
        - name: editor
          targetGroups:
            - editors
          targetRoles:
            - editor
        - name: mitarbeiter
          targetRoles:
            - mitarbeiter

clients:
  oidc.id: magnolia
  oidc.secret: *****
  oidc.scope: openid email profile
  oidc.discoveryUri: https://id.magnolia-platform.com/auth/realms/blkb/.well-known/openid-configuration
  oidc.preferredJwsAlgorithm: RS256
  oidc.authorizationGenerators: groupsAuthorization

userFieldMappings:
  name: email
  removeEmailDomainFromUserName: true
  removeSpecialCharactersFromUserName: false
  fullName: name
  email: email
  language: locale 
Comment by Sebastian Klingberg [ 04/Sep/23 ]

Potential Solution would make use of different `AuthorizationGenerator` Groups following this example - copied from the docs:

# Use DefaultBaseURL for relative Paths in SSO Config
# Secure Magnolia (with SSO Client 1)
authenticationService:
  path: /.magnolia/admincentral 
  callbackUrl: /.auth 
  postLogoutRedirectUri: /.magnolia/admincentral 
  authorizationGenerators: 
    groupsAuthorizationGenerator:
      class: info.magnolia.sso.oidc.GroupsAuthorizationGenerator
      mappings:
        /magnolia-sre:
          roles:
            - superuser
          groups:
            - publishers
        /magnolia-publishers:
          roles:
            - travel-demo-publisher
          groups:
            - publishers
  pac4j: 
    oidc.id: magnolia-sso 
    oidc.secret: 2ff75b44-c7ef-4932-91c8-59e6ea5f35b6 
    oidc.scope: openid profile email 
    oidc.discoveryUri: https://<YOUR_OIDC_IDP_DOMAIN>/…/.well-known/openid-configuration 
    oidc.preferredJwsAlgorithm: RS256 

# Secure CustomerSite (with different SSO Client 2)
authenticationService:
  path: /securesite
  callbackUrl: /.auth 
  postLogoutRedirectUri: /securesite
  authorizationGenerators: 
    groupsAuthorizationGenerator:
      class: info.magnolia.sso.oidc.GroupsAuthorizationGenerator
      mappings:
        /securesite-iam:
          roles:
            - securerole
          groups:
            - intranetusers
  pac4j: 
    oidc.id: customer-sso 
    oidc.secret: 2ff75b44-c7ef-4932-91c8-1111111111
    oidc.scope: openid profile email 
    oidc.discoveryUri: https://customer.com/…/.well-known/openid-configuration 
    oidc.preferredJwsAlgorithm: RS256  
Comment by Sebastian Klingberg [ 23/Nov/23 ]

Hello, any updates here? dmaslanka can you may take this up again? Maybe it has been solved in the meantime..

Generated at Mon Feb 12 10:53:01 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.