[MGNLSSO-305] public admincentral on PROD not anymore accessible Created: 01/Sep/23 Updated: 24/Nov/23 |
|
| Status: | Open |
| Project: | Single Sign On |
| Component/s: | None |
| Affects Version/s: | None |
| Fix Version/s: | None |
| Type: | New Feature | Priority: | Medium |
| Reporter: | Sebastian Klingberg | Assignee: | Unassigned |
| Resolution: | Unresolved | Votes: | 1 |
| Labels: | LIVE | ||
| Remaining Estimate: | 0d | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | 0d | ||
| Issue Links: |
|
||||||||
| Template: |
|
||||||||
| Acceptance criteria: |
Empty
|
||||||||
| Description |
|
Hello SSO Team, our PaaS Client BLKB (Partner JLS) is looking for a solution to solve the following scenario:
The Workaround:
Bug?:
The ServiceRequest:
I know that using the SSO Module to secure a Intranet that way is not ideal or a supposed way, but do you see any other option to achieve this with the SSO Module currently? Please get in touch with me on more details to find a solution. Thank you!
From the original ticket: Hello, after we changed the config.yaml file for SSO like this we are not able anymore to access the https://www.blkb.ch/.magnolia/admincentral url, we just get a 401: path: /mitarbeiter
callbackUrl: /.auth
postLogoutRedirectUri: /mitarbeiter
authorizationGenerators:
- name: groupsAuthorization
groups:
mappings:
- name: superuser
targetGroups:
- publishers
targetRoles:
- superuser
- name: publisher
targetGroups:
- publishers
targetRoles:
- publisher
- name: editor
targetGroups:
- editors
targetRoles:
- editor
- name: mitarbeiter
targetRoles:
- mitarbeiter
clients:
oidc.id: magnolia
oidc.secret: secret
oidc.scope: openid email profile
oidc.discoveryUri: https://id.magnolia-platform.com/auth/realms/blkb/.well-known/openid-configuration
oidc.preferredJwsAlgorithm: RS256
oidc.authorizationGenerators: groupsAuthorization
userFieldMappings:
name: email
removeEmailDomainFromUserName: true
removeSpecialCharactersFromUserName: false
fullName: name
email: email
language: locale
If we try to access the page https://www.blkb.ch/mitarbeiter we can see the login form, but once I’m loggedin with a superuser account, if I try to access the page https://www.blkb.ch/.magnolia/admincentral I have the error shown in the screenshot attached. Can you please help me on that? Tanks, Luigi |
| Comments |
| Comment by Sebastian Klingberg [ 01/Sep/23 ] |
|
DefaultBaseURL set to "http://www.blkb.ch/" SSO Config Author Instance: I have no name!@prod-magnolia-helm-author-0:/usr/local/tomcat$ cat /mgnl-home/modules/magnolia-sso/config.yaml path: /.magnolia/admincentral callbackUrl: /.auth postLogoutRedirectUri: /.magnolia/admincentral authorizationGenerators: - name: groupsAuthorization groups: mappings: - name: superuser targetGroups: - publishers targetRoles: - superuser - name: publisher targetGroups: - publishers targetRoles: - publisher - name: editor targetGroups: - editors targetRoles: - editor - name: mitarbeiter targetRoles: - mitarbeiter clients: oidc.id: magnolia oidc.secret: ***** oidc.scope: openid email profile oidc.discoveryUri: https://id.magnolia-platform.com/auth/realms/blkb/.well-known/openid-configuration oidc.preferredJwsAlgorithm: RS256 oidc.authorizationGenerators: groupsAuthorization userFieldMappings: name: email removeEmailDomainFromUserName: true removeSpecialCharactersFromUserName: false fullName: name email: email language: locale SSO Config Publics: I have no name!@prod-magnolia-helm-public-0:/usr/local/tomcat$ cat /mgnl-home/modules/magnolia-sso/config.yaml path: /mitarbeiter callbackUrl: /.auth postLogoutRedirectUri: /mitarbeiter authorizationGenerators: - name: groupsAuthorization groups: mappings: - name: superuser targetGroups: - publishers targetRoles: - superuser - name: publisher targetGroups: - publishers targetRoles: - publisher - name: editor targetGroups: - editors targetRoles: - editor - name: mitarbeiter targetRoles: - mitarbeiter clients: oidc.id: magnolia oidc.secret: ***** oidc.scope: openid email profile oidc.discoveryUri: https://id.magnolia-platform.com/auth/realms/blkb/.well-known/openid-configuration oidc.preferredJwsAlgorithm: RS256 oidc.authorizationGenerators: groupsAuthorization userFieldMappings: name: email removeEmailDomainFromUserName: true removeSpecialCharactersFromUserName: false fullName: name email: email language: locale |
| Comment by Sebastian Klingberg [ 04/Sep/23 ] |
|
Potential Solution would make use of different `AuthorizationGenerator` Groups following this example - copied from the docs: # Use DefaultBaseURL for relative Paths in SSO Config # Secure Magnolia (with SSO Client 1) authenticationService: path: /.magnolia/admincentral callbackUrl: /.auth postLogoutRedirectUri: /.magnolia/admincentral authorizationGenerators: groupsAuthorizationGenerator: class: info.magnolia.sso.oidc.GroupsAuthorizationGenerator mappings: /magnolia-sre: roles: - superuser groups: - publishers /magnolia-publishers: roles: - travel-demo-publisher groups: - publishers pac4j: oidc.id: magnolia-sso oidc.secret: 2ff75b44-c7ef-4932-91c8-59e6ea5f35b6 oidc.scope: openid profile email oidc.discoveryUri: https://<YOUR_OIDC_IDP_DOMAIN>/…/.well-known/openid-configuration oidc.preferredJwsAlgorithm: RS256 # Secure CustomerSite (with different SSO Client 2) authenticationService: path: /securesite callbackUrl: /.auth postLogoutRedirectUri: /securesite authorizationGenerators: groupsAuthorizationGenerator: class: info.magnolia.sso.oidc.GroupsAuthorizationGenerator mappings: /securesite-iam: roles: - securerole groups: - intranetusers pac4j: oidc.id: customer-sso oidc.secret: 2ff75b44-c7ef-4932-91c8-1111111111 oidc.scope: openid profile email oidc.discoveryUri: https://customer.com/…/.well-known/openid-configuration oidc.preferredJwsAlgorithm: RS256 |
| Comment by Sebastian Klingberg [ 23/Nov/23 ] |
|
Hello, any updates here? dmaslanka can you may take this up again? Maybe it has been solved in the meantime.. |