<!-- 
RSS generated by JIRA (9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b) at Mon Feb 12 10:53:01 CET 2024

It is possible to restrict the fields that are returned in this document by specifying the 'field' parameter in your request.
For example, to request only the issue key and summary append 'field=key&field=summary' to the URL of your request.
-->
<rss version="0.92" >
<channel>
    <title>Magnolia - Issue tracker</title>
    <link>https://jira.magnolia-cms.com</link>
    <description>This file is an XML representation of an issue</description>
    <language>en-uk</language>    <build-info>
        <version>9.4.2</version>
        <build-number>940002</build-number>
        <build-date>19-01-2023</build-date>
    </build-info>


<item>
            <title>[MGNLSSO-305] public admincentral on PROD not anymore accessible</title>
                <link>https://jira.magnolia-cms.com/browse/MGNLSSO-305</link>
                <project id="15486" key="MGNLSSO">Single Sign On</project>
                    <description>&lt;p&gt;Hello SSO Team,&lt;/p&gt;

&lt;p&gt;our PaaS Client BLKB (Partner JLS) is looking for a solution to solve the following scenario:&lt;/p&gt;
&lt;ul&gt;
	&lt;li&gt;They want to secure their Intranet Page (&lt;a href=&quot;http://www.blkb.ch/mitarbeiter)&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;www.blkb.ch/mitarbeiter)&lt;/a&gt; using the SSO Module, while still being able to access author and public admincentral in any way.&lt;/li&gt;
	&lt;li&gt;They use magnolia-sso-3.0.0&lt;/li&gt;
	&lt;li&gt;Issue is reproducible with a Login of any tested Keycloak User, so it&apos;s not an mapping Issue&lt;/li&gt;
&lt;/ul&gt;


&lt;p&gt;The Workaround:&lt;/p&gt;
&lt;ul&gt;
	&lt;li&gt;Use two different SSO configs for Author/Publics (see below for the Public)&lt;/li&gt;
	&lt;li&gt;Both have set the `defaultBaseURL` to &quot;www.blkb.ch&quot; to work with relative paths&lt;/li&gt;
	&lt;li&gt;Author is working fine an and will redirect to &quot;/.magnolia/admincentral&quot; after login&lt;/li&gt;
	&lt;li&gt;Public is also working as expected for the Intranet login &quot;/mitarbeiter&quot; but it&apos;s &lt;b&gt;not possible to access any Public&apos;s Admincentral any more&lt;/b&gt; (even on IP level because of the redirect)&lt;/li&gt;
&lt;/ul&gt;


&lt;p&gt;Bug?:&lt;/p&gt;
&lt;ul&gt;
	&lt;li&gt;Is a Bug preventing access? (check provided Screenshot here) or (as expected) is a redirect preventing Admincentral to get reached anyways&lt;/li&gt;
&lt;/ul&gt;


&lt;p&gt;The ServiceRequest:&lt;/p&gt;
&lt;ul&gt;
	&lt;li&gt;Can we solve this issue by supporting more than one redirect URL or at least bypass SSO with some URLs based on the Config (`path: /mypath` AND `path: /.magnolia/admincentral`; instead of just one). Using local Users would be totally fine (ServiceRequest)&lt;/li&gt;
	&lt;li&gt;Can we enable multiple Configs for different URL requests (split config on &apos;path:&apos; level, ie. &quot;/mitarbeiter&quot; and &quot;/xyz&quot;)?&#160;
	&lt;ul&gt;
		&lt;li&gt;This would also allow to use different clients, even on Path Level&#160;&lt;/li&gt;
	&lt;/ul&gt;
	&lt;/li&gt;
	&lt;li&gt;Can we distinguish by different &apos;authorizationGenerators&apos;, as it already is a list and use GroupMatching to resolve the Request Routing after Authentication (an idea I&apos;m not really convinced, but that would be an option too)&#160;&lt;/li&gt;
&lt;/ul&gt;


&lt;p&gt;I know that using the SSO Module to secure a Intranet that way is not ideal or a supposed way, but do you see any other option to achieve this with the SSO Module currently?&lt;/p&gt;

&lt;p&gt;Please get in touch with me on more details to find a solution.&lt;/p&gt;

&lt;p&gt;Thank you!&lt;br/&gt;
Seb&lt;/p&gt;

&lt;p&gt;&#160;&lt;/p&gt;

&lt;p&gt;&#160;&lt;/p&gt;

&lt;p&gt;From the original ticket:&lt;/p&gt;
&lt;hr /&gt;
&lt;p&gt;Hello,&lt;/p&gt;

&lt;p&gt;after we changed the config.yaml file for SSO like this we are not able anymore to access the &lt;a href=&quot;https://www.blkb.ch/.magnolia/admincentral&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;https://www.blkb.ch/.magnolia/admincentral&lt;/a&gt; url, we just get a 401:&lt;/p&gt;
&lt;div class=&quot;preformatted panel&quot; style=&quot;border-width: 1px;&quot;&gt;&lt;div class=&quot;preformattedContent panelContent&quot;&gt;
&lt;pre&gt;path: /mitarbeiter
callbackUrl: /.auth
postLogoutRedirectUri: /mitarbeiter
authorizationGenerators:
  - name: groupsAuthorization
    groups:
      mappings:
        - name: superuser
          targetGroups:
            - publishers
          targetRoles:
            - superuser
        - name: publisher
          targetGroups:
            - publishers
          targetRoles:
            - publisher
        - name: editor
          targetGroups:
            - editors
          targetRoles:
            - editor
        - name: mitarbeiter
          targetRoles:
            - mitarbeiter

clients:
  oidc.id: magnolia
  oidc.secret: secret
  oidc.scope: openid email profile
  oidc.discoveryUri: https://id.magnolia-platform.com/auth/realms/blkb/.well-known/openid-configuration
  oidc.preferredJwsAlgorithm: RS256
  oidc.authorizationGenerators: groupsAuthorization

userFieldMappings:
  name: email
  removeEmailDomainFromUserName: true
  removeSpecialCharactersFromUserName: false
  fullName: name
  email: email
  language: locale
&lt;/pre&gt;
&lt;/div&gt;&lt;/div&gt;
&lt;p&gt;If we try to access the page &lt;a href=&quot;https://www.blkb.ch/mitarbeiter&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;https://www.blkb.ch/mitarbeiter&lt;/a&gt; we can see the login form, but once I&#8217;m loggedin with a superuser account, if I try to access the page &lt;a href=&quot;https://www.blkb.ch/.magnolia/admincentral&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;https://www.blkb.ch/.magnolia/admincentral&lt;/a&gt; I have the error shown in the screenshot attached.&lt;/p&gt;

&lt;p&gt;Can you please help me on that?&lt;/p&gt;

&lt;p&gt;Tanks,&lt;/p&gt;

&lt;p&gt;Luigi&lt;/p&gt;</description>
                <environment></environment>
        <key id="138204">MGNLSSO-305</key>
            <summary>public admincentral on PROD not anymore accessible</summary>
                <type id="2" iconUrl="https://jira.magnolia-cms.com/secure/viewavatar?size=xsmall&amp;avatarId=10891&amp;avatarType=issuetype">New Feature</type>
                                            <priority id="10001" iconUrl="https://jira.magnolia-cms.com/images/icons/priorities/major.svg">Medium</priority>
                        <status id="1" iconUrl="https://jira.magnolia-cms.com/images/icons/statuses/open.png" description="The issue is open and ready for the assignee to start work on it.">Open</status>
                    <statusCategory id="2" key="new" colorName="default"/>
                                    <resolution id="-1">Unresolved</resolution>
                                        <assignee username="-1">Unassigned</assignee>
                                    <reporter username="sklingberg">Sebastian Klingberg</reporter>
                        <labels>
                            <label>LIVE</label>
                    </labels>
                <created>Fri, 1 Sep 2023 12:23:04 +0200</created>
                <updated>Fri, 24 Nov 2023 13:43:33 +0100</updated>
                                                                                <due></due>
                            <votes>1</votes>
                                    <watches>3</watches>
                                    <workratio workratioPercent="0"/>
                                                                    <timeoriginalestimate seconds="0">0d</timeoriginalestimate>
                            <timeestimate seconds="0">0d</timeestimate>
                                        <comments>
                            <comment id="374338" author="JIRAUSER22704" created="Fri, 1 Sep 2023 12:26:37 +0200"  >&lt;p&gt;DefaultBaseURL set to &quot;http://www.blkb.ch/&quot;&lt;/p&gt;

&lt;p&gt;SSO Config Author Instance:&lt;/p&gt;
&lt;div class=&quot;code panel&quot; style=&quot;border-width: 1px;&quot;&gt;&lt;div class=&quot;codeContent panelContent&quot;&gt;
&lt;pre class=&quot;code-java&quot;&gt;
I have no name!@prod-magnolia-helm-author-0:/usr/local/tomcat$ cat /mgnl-home/modules/magnolia-sso/config.yaml
path: /.magnolia/admincentral
callbackUrl: /.auth
postLogoutRedirectUri: /.magnolia/admincentral
authorizationGenerators:
&#160; - name: groupsAuthorization
&#160; &#160; groups:
&#160; &#160; &#160; mappings:
&#160; &#160; &#160; &#160; - name: superuser
&#160; &#160; &#160; &#160; &#160; targetGroups:
&#160; &#160; &#160; &#160; &#160; &#160; - publishers
&#160; &#160; &#160; &#160; &#160; targetRoles:
&#160; &#160; &#160; &#160; &#160; &#160; - superuser
&#160; &#160; &#160; &#160; - name: publisher
&#160; &#160; &#160; &#160; &#160; targetGroups:
&#160; &#160; &#160; &#160; &#160; &#160; - publishers
&#160; &#160; &#160; &#160; &#160; targetRoles:
&#160; &#160; &#160; &#160; &#160; &#160; - publisher
&#160; &#160; &#160; &#160; - name: editor
&#160; &#160; &#160; &#160; &#160; targetGroups:
&#160; &#160; &#160; &#160; &#160; &#160; - editors
&#160; &#160; &#160; &#160; &#160; targetRoles:
&#160; &#160; &#160; &#160; &#160; &#160; - editor
&#160; &#160; &#160; &#160; - name: mitarbeiter
&#160; &#160; &#160; &#160; &#160; targetRoles:
&#160; &#160; &#160; &#160; &#160; &#160; - mitarbeiter
clients:
&#160; oidc.id: magnolia
&#160; oidc.secret: *****
&#160; oidc.scope: openid email profile
&#160; oidc.discoveryUri: https:&lt;span class=&quot;code-comment&quot;&gt;//id.magnolia-platform.com/auth/realms/blkb/.well-known/openid-configuration
&lt;/span&gt;&#160; oidc.preferredJwsAlgorithm: RS256
&#160; oidc.authorizationGenerators: groupsAuthorization

userFieldMappings:
&#160; name: email
&#160; removeEmailDomainFromUserName: &lt;span class=&quot;code-keyword&quot;&gt;true&lt;/span&gt;
&#160; removeSpecialCharactersFromUserName: &lt;span class=&quot;code-keyword&quot;&gt;false&lt;/span&gt;
&#160; fullName: name
&#160; email: email
&#160; language: locale &lt;/pre&gt;
&lt;/div&gt;&lt;/div&gt;
&lt;p&gt;SSO Config Publics:&lt;/p&gt;
&lt;div class=&quot;code panel&quot; style=&quot;border-width: 1px;&quot;&gt;&lt;div class=&quot;codeContent panelContent&quot;&gt;
&lt;pre class=&quot;code-java&quot;&gt;
I have no name!@prod-magnolia-helm-&lt;span class=&quot;code-keyword&quot;&gt;public&lt;/span&gt;-0:/usr/local/tomcat$ cat /mgnl-home/modules/magnolia-sso/config.yaml
path: /mitarbeiter
callbackUrl: /.auth
postLogoutRedirectUri: /mitarbeiter
authorizationGenerators:
&#160; - name: groupsAuthorization
&#160; &#160; groups:
&#160; &#160; &#160; mappings:
&#160; &#160; &#160; &#160; - name: superuser
&#160; &#160; &#160; &#160; &#160; targetGroups:
&#160; &#160; &#160; &#160; &#160; &#160; - publishers
&#160; &#160; &#160; &#160; &#160; targetRoles:
&#160; &#160; &#160; &#160; &#160; &#160; - superuser
&#160; &#160; &#160; &#160; - name: publisher
&#160; &#160; &#160; &#160; &#160; targetGroups:
&#160; &#160; &#160; &#160; &#160; &#160; - publishers
&#160; &#160; &#160; &#160; &#160; targetRoles:
&#160; &#160; &#160; &#160; &#160; &#160; - publisher
&#160; &#160; &#160; &#160; - name: editor
&#160; &#160; &#160; &#160; &#160; targetGroups:
&#160; &#160; &#160; &#160; &#160; &#160; - editors
&#160; &#160; &#160; &#160; &#160; targetRoles:
&#160; &#160; &#160; &#160; &#160; &#160; - editor
&#160; &#160; &#160; &#160; - name: mitarbeiter
&#160; &#160; &#160; &#160; &#160; targetRoles:
&#160; &#160; &#160; &#160; &#160; &#160; - mitarbeiter

clients:
&#160; oidc.id: magnolia
&#160; oidc.secret: *****
&#160; oidc.scope: openid email profile
&#160; oidc.discoveryUri: https:&lt;span class=&quot;code-comment&quot;&gt;//id.magnolia-platform.com/auth/realms/blkb/.well-known/openid-configuration
&lt;/span&gt;&#160; oidc.preferredJwsAlgorithm: RS256
&#160; oidc.authorizationGenerators: groupsAuthorization

userFieldMappings:
&#160; name: email
&#160; removeEmailDomainFromUserName: &lt;span class=&quot;code-keyword&quot;&gt;true&lt;/span&gt;
&#160; removeSpecialCharactersFromUserName: &lt;span class=&quot;code-keyword&quot;&gt;false&lt;/span&gt;
&#160; fullName: name
&#160; email: email
&#160; language: locale &lt;/pre&gt;
&lt;/div&gt;&lt;/div&gt;</comment>
                            <comment id="374526" author="JIRAUSER22704" created="Mon, 4 Sep 2023 13:46:26 +0200"  >&lt;p&gt;Potential Solution would make use of different `AuthorizationGenerator` Groups following this example - copied from the docs:&lt;/p&gt;
&lt;div class=&quot;code panel&quot; style=&quot;border-width: 1px;&quot;&gt;&lt;div class=&quot;codeContent panelContent&quot;&gt;
&lt;pre class=&quot;code-java&quot;&gt;
# Use DefaultBaseURL &lt;span class=&quot;code-keyword&quot;&gt;for&lt;/span&gt; relative Paths in SSO Config
# Secure Magnolia (with SSO Client 1)
authenticationService:
  path: /.magnolia/admincentral 
  callbackUrl: /.auth 
  postLogoutRedirectUri: /.magnolia/admincentral 
  authorizationGenerators: 
    groupsAuthorizationGenerator:
      class: info.magnolia.sso.oidc.GroupsAuthorizationGenerator
      mappings:
        /magnolia-sre:
          roles:
            - superuser
          groups:
            - publishers
        /magnolia-publishers:
          roles:
            - travel-demo-publisher
          groups:
            - publishers
  pac4j: 
    oidc.id: magnolia-sso 
    oidc.secret: 2ff75b44-c7ef-4932-91c8-59e6ea5f35b6 
    oidc.scope: openid profile email 
    oidc.discoveryUri: https:&lt;span class=&quot;code-comment&quot;&gt;//&amp;lt;YOUR_OIDC_IDP_DOMAIN&amp;gt;/&#8230;/.well-known/openid-configuration 
&lt;/span&gt;    oidc.preferredJwsAlgorithm: RS256 

# Secure CustomerSite (with different SSO Client 2)
authenticationService:
  path: /securesite
  callbackUrl: /.auth 
  postLogoutRedirectUri: /securesite
  authorizationGenerators: 
    groupsAuthorizationGenerator:
      class: info.magnolia.sso.oidc.GroupsAuthorizationGenerator
      mappings:
        /securesite-iam:
          roles:
            - securerole
          groups:
            - intranetusers
  pac4j: 
    oidc.id: customer-sso 
    oidc.secret: 2ff75b44-c7ef-4932-91c8-1111111111
    oidc.scope: openid profile email 
    oidc.discoveryUri: https:&lt;span class=&quot;code-comment&quot;&gt;//customer.com/&#8230;/.well-known/openid-configuration 
&lt;/span&gt;    oidc.preferredJwsAlgorithm: RS256  &lt;/pre&gt;
&lt;/div&gt;&lt;/div&gt;</comment>
                            <comment id="386104" author="JIRAUSER22704" created="Thu, 23 Nov 2023 09:45:23 +0100"  >&lt;p&gt;Hello, any updates here? &lt;a href=&quot;https://jira.magnolia-cms.com/secure/ViewProfile.jspa?name=dmaslanka&quot; class=&quot;user-hover&quot; rel=&quot;dmaslanka&quot;&gt;dmaslanka&lt;/a&gt; can you may take this up again? Maybe it has been solved in the meantime..&lt;/p&gt;</comment>
                    </comments>
                <issuelinks>
                            <issuelinktype id="10360">
                    <name>Problem/Incident</name>
                                                                <inwardlinks description="is caused by">
                                                        </inwardlinks>
                                    </issuelinktype>
                            <issuelinktype id="10010">
                    <name>relation</name>
                                                                <inwardlinks description="is related to">
                                                        </inwardlinks>
                                    </issuelinktype>
                    </issuelinks>
                <attachments>
                    </attachments>
                <subtasks>
                    </subtasks>
                <customfields>
                                                                            <customfield id="customfield_14166" key="com.okapya.jira.checklist:checklist">
                        <customfieldname>Acceptance criteria</customfieldname>
                        <customfieldvalues>
                            
        <checklist>
        <![CDATA[
                            




                
                                    <div class="o-completion" style="display: flex; flex-shrink: 0;"><span  class="aui-lozenge aui-lozenge-complete" style="font-size: 12px; font-weight: normal; display: flex; flex-direction: row; align-items: center;" ><span style="padding-right: 4px; vertical-align: middle;"><svg width="15" height="15" viewBox="0 0 15 15" xmlns="http://www.w3.org/2000/svg" fill="white"><path clip-rule="evenodd" d="m10.41037,3.42544l-7.86501,0c-0.72395,0 -1.31084,0.58688 -1.31084,1.31084l0,7.86508c0,0.7239 0.58689,1.3108 1.31084,1.3108l7.86501,0c0.724,0 1.3109,-0.5869 1.3109,-1.3108l0,-7.86508c0,-0.72396 -0.5869,-1.31084 -1.3109,-1.31084zm-7.86501,-0.65542c-1.08593,0 -1.96626,0.88032 -1.96626,1.96626l0,7.86508c0,1.0859 0.88033,1.9662 1.96626,1.9662l7.86501,0c1.086,0 1.9663,-0.8803 1.9663,-1.9662l0,-7.86508c0,-1.08594 -0.8803,-1.96626 -1.9663,-1.96626l-7.86501,0z" fill-rule="evenodd"/><path d="m5.09049,10.18526l-1.82767,-1.82766l-0.78479,0.78479l2.61246,2.61246l5.38758,-5.38754l-0.78483,-0.78479l-4.60275,4.60274z"/></svg></span><span>Empty</span></span></div>
                        ]]>
    </checklist>


                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                <customfield id="customfield_10111" key="com.atlassian.jira.toolkit:reporterdomain">
                        <customfieldname>Company</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>magnolia-cms.com</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                            <customfield id="customfield_12730" key="com.atlassian.jira.plugins.jira-development-integration-plugin:devsummary">
                        <customfieldname>Development</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_14151" key="com.atlassian.jira.toolkit:message">
                        <customfieldname>Docu info</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            <customfield id="customfield_10061" key="com.atlassian.jira.toolkit:lastusercommented">
                        <customfieldname>Last comm is not jira-dev</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>true</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10071" key="com.atlassian.jira.toolkit:lastupdaterorcommenter">
                        <customfieldname>Last participant</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>evystup</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_13136" key="com.atlassian.jira.toolkit:LastCommentDate">
                        <customfieldname>Last public comment date</customfieldname>
                        <customfieldvalues>
                            11 weeks, 4 days ago
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                            <customfield id="customfield_10020" key="com.atlassian.jira.toolkit:attachments">
                        <customfieldname>Number of attachments</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>0.0</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10150" key="com.atlassian.jira.toolkit:comments">
                        <customfieldname>Number of comments</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>3.0</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        <customfield id="customfield_10011" key="com.atlassian.jira.toolkit:participants">
                        <customfieldname>Participants</customfieldname>
                        <customfieldvalues>
                                        <customfieldvalue>sklingberg</customfieldvalue>
    
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                <customfield id="customfield_10833" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>0|y0arzu:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10244" key="com.pyxis.greenhopper.jira:gh-global-rank">
                        <customfieldname>Rank (Obsolete)</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>9223372036854775807</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_14145" key="com.intenso.jira.issue-templates:issue-templates-customfield">
                        <customfieldname>Template</customfieldname>
                        <customfieldvalues>
                            


                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                            <customfield id="customfield_15131" key="com.onresolve.jira.groovy.groovyrunner:scripted-field">
                        <customfieldname>Time in Discovery</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>0</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                        <customfield id="customfield_13933" key="com.atlassian.jira.plugin.system.customfieldtypes:select">
                        <customfieldname>Urgency (resolution)</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue key="15724"><![CDATA[Normal]]></customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                </customfields>
    </item>
</channel>
</rss>