[MGNLSSO-66] Installing the SSO module leads to a broken filter chain Created: 05/Jul/21 Updated: 16/Jul/21 Resolved: 16/Jul/21 |
|
| Status: | Closed |
| Project: | Single Sign On |
| Component/s: | sso-connector |
| Affects Version/s: | 1.1.1 |
| Fix Version/s: | None |
| Type: | Bug | Priority: | Neutral |
| Reporter: | Richard Gange | Assignee: | Maxime Michel |
| Resolution: | Fixed | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Attachments: |
|
||||||||
| Issue Links: |
|
||||||||
| Template: |
|
||||||||
| Acceptance criteria: |
Empty
|
||||||||
| Task DoD: |
[X]*
Doc/release notes changes? Comment present?
[X]*
Downstream builds green?
[X]*
Solution information and context easily available?
[X]*
Tests
[X]*
FixVersion filled and not yet released
[X] 
Architecture Decision Record (ADR)
|
||||||||
| Bug DoR: |
[ ]*
Steps to reproduce, expected, and actual results filled
[ ]*
Affected version filled
|
||||||||
| Date of First Response: | |||||||||
| Description |
|
The SSO module cannot self-install. This is the reason why we had tutorials in the incubator to show users how to properly set it up without breaking the system: If the module bootstraps/setup configuration then you don't have chance to login and setup properly. This is exactly how the incubator version worked but the new PD version is trying to bootstrap/setup. This cannot work. Reproduce
Actual Expected Notes <MODULE_NAME>/decorations/magnolia-sso/config.yaml |
| Comments |
| Comment by Richard Gange [ 07/Jul/21 ] |
|
Ideally the installation should stop if the proper config is not found. Or we need some message with the stack trace which tells the user what to do. |
| Comment by Boris Faniuk [ 07/Jul/21 ] |
|
I would better disable SSO login in this case. |
| Comment by Richard Gange [ 07/Jul/21 ] |
|
Hey Boris- Thanks for you input. This always been a tricky thing to handle. This is why we had the tutorials before. In those tutorials you had to configure by hand the login filter when the config is ready.
I think the idea is you have to have the decoration file in place during installation which is not really intuitive. |
| Comment by Maxime Michel [ 07/Jul/21 ] |
|
I understand the concern and we are looking at enabling the traditional Admincentral form login considering how frequently this gets brought up. However:
|
| Comment by Richard Gange [ 07/Jul/21 ] |
|
Maybe we could mention the blog post in the "Related topics" section |
| Comment by Maxime Michel [ 07/Jul/21 ] |
|
Good point, I will do that. |
| Comment by Boris Faniuk [ 07/Jul/21 ] |
|
Hello, Maxime! I was testing the module at test instance, did all configuration, created decoration and then realized that some issues exist on our Azure side. So I had to ask our internal support team to fix Azure problem. While this was in progress, the site was unavailable. Currently even if I remove the decoration, the new way of login is still there and just doesn't let anybody to login. Also, we have to consider localhost development, where we don't want to have SSO at all. |
| Comment by Richard Gange [ 07/Jul/21 ] |
|
Technically speaking you could have two login filters in the chain. Just have one enabled at a time. Any filter can have an enabled property.
So at this point while you can still log in. Toggle off SSO Login Filter, toggle on Fallback login filter. |
| Comment by Maxime Michel [ 12/Jul/21 ] |
|
Thanks for the extra details, we are now looking at a solution. |
| Comment by Maxime Michel [ 16/Jul/21 ] |
|
We have released a Docker image (or you can also run the Node project) and a documentation page on how to spin up a mock OIDC server: https://docs.magnolia-cms.com/product-docs/6.2/Modules/List-of-modules/SSO-module/Using-a-mock-OIDC-server.html This allows to easily recover access to a Magnolia instance in the cases that have been brought up. Hope that helps! |