<!-- 
RSS generated by JIRA (9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b) at Mon Feb 12 10:51:05 CET 2024

It is possible to restrict the fields that are returned in this document by specifying the 'field' parameter in your request.
For example, to request only the issue key and summary append 'field=key&field=summary' to the URL of your request.
-->
<rss version="0.92" >
<channel>
    <title>Magnolia - Issue tracker</title>
    <link>https://jira.magnolia-cms.com</link>
    <description>This file is an XML representation of an issue</description>
    <language>en-uk</language>    <build-info>
        <version>9.4.2</version>
        <build-number>940002</build-number>
        <build-date>19-01-2023</build-date>
    </build-info>


<item>
            <title>[MGNLSSO-96] Non-interactive SSO access to REST endpoints</title>
                <link>https://jira.magnolia-cms.com/browse/MGNLSSO-96</link>
                <project id="15486" key="MGNLSSO">Single Sign On</project>
                    <description>&lt;p&gt;Investigate allowing a 3rd party system (like a node or java server) to make an authenticated REST request to Magnolia based on user/credentials managed in an IdP.&lt;/p&gt;

&lt;p&gt;See if we can get it to work, and document how it works. &lt;br/&gt;
(Not product docs at this point, just internal tech notes.)&lt;/p&gt;

&lt;p&gt;&lt;b&gt;&#160;Key requirement: SSO for REST Endpoints. Authenticated requests to Magnolia endpoints based on user in IdP / SSO.&lt;/b&gt;&lt;/p&gt;

&lt;p&gt;It should be just one &quot;technical user&quot; that is in their IdP system. (This user would be used to hit the Magnolia endpoints.)&lt;/p&gt;

&lt;p&gt;Security dept. at a customer has general rule that all users and auth info should be in their one IdP. Makes sense.&lt;/p&gt;

&lt;p&gt;&lt;b&gt;&#160;Key problem: Getting a redirection to SSO login screen when trying to hit the endpoint.&lt;/b&gt; (Basically the same as when any unauthenticated person tries to login, they get redirected to SSO login screen.) They just want to be able to supply token in header in the request to the REST endpoint.&lt;/p&gt;

&lt;p&gt;Using Basic Auth now.&#160;Works but security team are not satisfied. Need something more secure.&lt;/p&gt;

&lt;p&gt;&quot;Technical User&quot; in their Idp.. (uses Groups in Magnolia)&lt;/p&gt;

&lt;p&gt;&#160;&lt;/p&gt;

&lt;p&gt;&lt;b&gt;Basic wished Flow: (roughly described, details might be incorrect!)&lt;/b&gt;&lt;/p&gt;
&lt;ul&gt;
	&lt;li&gt;3rd party system hits db-web-sso/F5/IdP service to login and get a JWT token.&lt;/li&gt;
	&lt;li&gt;3rd party system hits Magnolia enpdoint with token in header.&lt;/li&gt;
	&lt;li&gt;Magnolia authenticates and authorizes the request, likely invoking the IdP&apos;s token introspection endpoint; then executes endpoint with appropriate permissions.&lt;/li&gt;
&lt;/ul&gt;



&lt;p&gt;More information and context:&lt;br/&gt;
&lt;a href=&quot;https://wiki.magnolia-cms.com/display/TH2/Plan+for+SSO+API&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;https://wiki.magnolia-cms.com/display/TH2/Plan+for+SSO+API&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;&#160;&lt;/p&gt;</description>
                <environment></environment>
        <key id="107597">MGNLSSO-96</key>
            <summary>Non-interactive SSO access to REST endpoints</summary>
                <type id="3" iconUrl="https://jira.magnolia-cms.com/secure/viewavatar?size=xsmall&amp;avatarId=10898&amp;avatarType=issuetype">Task</type>
                                            <priority id="3" iconUrl="https://jira.magnolia-cms.com/images/icons/priorities/major.svg">Major</priority>
                        <status id="6" iconUrl="https://jira.magnolia-cms.com/images/icons/statuses/closed.png" description="The issue is considered finished, the resolution is correct. Issues which are not closed can be reopened.">Closed</status>
                    <statusCategory id="3" key="done" colorName="success"/>
                                    <resolution id="11">Done</resolution>
                                        <assignee username="nguyen.phung">Nguyen Phung Chi</assignee>
                                    <reporter username="czimmermann">Christopher Zimmermann</reporter>
                        <labels>
                    </labels>
                <created>Tue, 15 Feb 2022 08:13:23 +0100</created>
                <updated>Wed, 12 Apr 2023 14:22:48 +0200</updated>
                            <resolved>Tue, 7 Jun 2022 10:14:43 +0200</resolved>
                                                    <fixVersion>3.0.0</fixVersion>
                                        <due></due>
                            <votes>1</votes>
                                    <watches>12</watches>
                                                    <progress percentage="100">
                                    <originalProgress>
                                                    <row percentage="0" backgroundColor="#89afd7"/>
                                                    <row percentage="100" backgroundColor="transparent"/>
                                            </originalProgress>
                                                    <currentProgress>
                                                    <row percentage="100" backgroundColor="#51a825"/>
                                                    <row percentage="0" backgroundColor="#ec8e00"/>
                                            </currentProgress>
                            </progress>
                                    <aggregateprogress percentage="100">
                                    <originalProgress>
                                                    <row percentage="0" backgroundColor="#89afd7"/>
                                                    <row percentage="100" backgroundColor="transparent"/>
                                            </originalProgress>
                                                    <currentProgress>
                                                    <row percentage="100" backgroundColor="#51a825"/>
                                                    <row percentage="0" backgroundColor="#ec8e00"/>
                                            </currentProgress>
                            </aggregateprogress>
                                                    <timespent seconds="747000">25d 7.5h</timespent>
                                                                    <aggregatetimespent seconds="747000">25d 7.5h</aggregatetimespent>
                                    <comments>
                            <comment id="297092" author="nguyen.phung" created="Thu, 3 Mar 2022 07:36:21 +0100"  >&lt;p&gt;Hi &lt;a href=&quot;https://jira.magnolia-cms.com/secure/ViewProfile.jspa?name=czimmermann&quot; class=&quot;user-hover&quot; rel=&quot;czimmermann&quot;&gt;czimmermann&lt;/a&gt;, &lt;a href=&quot;https://jira.magnolia-cms.com/secure/ViewProfile.jspa?name=mgeljic&quot; class=&quot;user-hover&quot; rel=&quot;mgeljic&quot;&gt;mgeljic&lt;/a&gt;&#160;&lt;/p&gt;

&lt;p&gt;For the scope of the ticket, I think we&apos;re talking about SSO module for On-premises only.&#160;&lt;/p&gt;

&lt;p&gt;I have a look on pac4j documentation and found something:&lt;/p&gt;
&lt;ul&gt;
	&lt;li&gt;First, Pac4j called: &quot;&lt;em&gt;A Client&lt;/em&gt; = an authentication mechanism with a web flow&quot; (slide no. 6 in &lt;a href=&quot;https://www.pac4j.org/gettingstarted.html)&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;https://www.pac4j.org/gettingstarted.html)&lt;/a&gt;&lt;/li&gt;
	&lt;li&gt;Pac4j Clients are of two kinds: direct clients are for web services authentication and indirect clients are for UI authentication.(Direct vs indirect clients - &lt;a href=&quot;https://www.pac4j.org/docs/clients.html#1-direct-vs-indirect-clients)&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;https://www.pac4j.org/docs/clients.html#1-direct-vs-indirect-clients)&lt;/a&gt;&lt;/li&gt;
&lt;/ul&gt;


&lt;p&gt;Compare with our current implementation, I believe that we only implemented the &lt;b&gt;Indirect clients flow&lt;/b&gt; in the SSO module.&lt;/p&gt;

&lt;p&gt;The Web services authentication (stateless/direct client) from Pac4j described here (&lt;a href=&quot;https://www.pac4j.org/docs/authentication-flows.html#2-web-services-authentication-statelessdirect-client)&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;https://www.pac4j.org/docs/authentication-flows.html#2-web-services-authentication-statelessdirect-client)&lt;/a&gt; are similar and seems to match with Basic wished flow (ticket description) - &lt;a href=&quot;https://jira.magnolia-cms.com/secure/ViewProfile.jspa?name=mgeljic&quot; class=&quot;user-hover&quot; rel=&quot;mgeljic&quot;&gt;mgeljic&lt;/a&gt; can you please have a look and tell me your idea? Thanks&lt;/p&gt;

&lt;p&gt;I also found the guide to implement direct clients flow with OpenID Connect (Oidc) &lt;a href=&quot;https://www.pac4j.org/docs/clients/openid-connect.html#b-direct-clients&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;https://www.pac4j.org/docs/clients/openid-connect.html#b-direct-clients&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Thank you,&lt;/p&gt;

&lt;p&gt;cc &lt;a href=&quot;https://jira.magnolia-cms.com/secure/ViewProfile.jspa?name=mrajkovic&quot; class=&quot;user-hover&quot; rel=&quot;mrajkovic&quot;&gt;mrajkovic&lt;/a&gt; , &lt;a href=&quot;https://jira.magnolia-cms.com/secure/ViewProfile.jspa?name=efochr&quot; class=&quot;user-hover&quot; rel=&quot;efochr&quot;&gt;efochr&lt;/a&gt; we can see above is the initial discovery for this investigation ticket, not sure we need to deep dive more into it or not.&lt;/p&gt;

&lt;p&gt;Let&apos;s discuss in a grooming or separate meeting for what we plan to do about SSO topics. Alright?&lt;/p&gt;</comment>
                            <comment id="297102" author="JIRAUSER21783" created="Thu, 3 Mar 2022 08:49:51 +0100"  >&lt;p&gt;Hey &lt;a href=&quot;https://jira.magnolia-cms.com/secure/ViewProfile.jspa?name=nguyen.phung&quot; class=&quot;user-hover&quot; rel=&quot;nguyen.phung&quot;&gt;nguyen.phung&lt;/a&gt; , thanks for doing such a careful discovery!&#160;&lt;/p&gt;

&lt;p&gt;Agree, we can discuss this in a grooming / today&apos;s planning (if there&apos;s time). We will also need a dedicated meeting to the SSO topic, to implement this in a broader context. Let me set it up!&lt;/p&gt;

&lt;p&gt;&lt;a href=&quot;https://jira.magnolia-cms.com/secure/ViewProfile.jspa?name=efochr&quot; class=&quot;user-hover&quot; rel=&quot;efochr&quot;&gt;efochr&lt;/a&gt; , &lt;a href=&quot;https://jira.magnolia-cms.com/secure/ViewProfile.jspa?name=mgeljic&quot; class=&quot;user-hover&quot; rel=&quot;mgeljic&quot;&gt;mgeljic&lt;/a&gt;: FYI&lt;/p&gt;</comment>
                            <comment id="297211" author="mgeljic" created="Thu, 3 Mar 2022 14:21:29 +0100"  >&lt;p&gt;Good discovery indeed, on the SaaS feature branch, we did implement direct-authentication flows &amp;amp; support for configuring multiple clients in pac4j, in fact two of them:&lt;/p&gt;

&lt;ul&gt;
	&lt;li&gt;one for SPA access (not sure if it&apos;s actively used because delivery endpoints happen to also be public on author instances)&lt;/li&gt;
	&lt;li&gt;one for e2e tests and ability to bootstrap resources programmatically&lt;/li&gt;
&lt;/ul&gt;


&lt;p&gt;You can see more about that in the &lt;a href=&quot;https://git.magnolia-cms.com/projects/ENTERPRISE/repos/magnolia-sso/browse?at=refs%2Fheads%2Ffeature%2FssoVersion-1.2-cloud-SNAPSHOT&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;README&lt;/a&gt; on the SaaS feature branch, as well as in MGNLSSO-79 and PR &lt;a href=&quot;https://git.magnolia-cms.com/projects/ENTERPRISE/repos/magnolia-sso/pull-requests/53/diff&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;#53&lt;/a&gt;.&lt;/p&gt;

&lt;p&gt;We sketched this ticket w/ Topher with the assumption that we can first reuse this work, with SSO 1.2-cloud-SNAPSHOT (should be 3.0-SNAPSHOT after &lt;a href=&quot;https://wiki.magnolia-cms.com/display/DEVINT/6.3+Branches+status+and+reconciliation&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;branch reconciliation&lt;/a&gt; / &lt;a href=&quot;https://jira.magnolia-cms.com/browse/MGNLSSO-78&quot; title=&quot;Rebase SSO cloud feature branch on top of SSO 2.0&quot; class=&quot;issue-link&quot; data-issue-key=&quot;MGNLSSO-78&quot;&gt;&lt;del&gt;MGNLSSO-78&lt;/del&gt;&lt;/a&gt;) on a 6.2 instance. Essentially trying to validate an incoming token through the IdP&apos;s token-introspection endpoint.&lt;/p&gt;</comment>
                            <comment id="298410" author="JIRAUSER21783" created="Mon, 14 Mar 2022 11:27:59 +0100"  >&lt;p&gt;We continue discovery on this ticket together with &lt;a href=&quot;https://jira.magnolia-cms.com/secure/ViewProfile.jspa?name=mgeljic&quot; class=&quot;user-hover&quot; rel=&quot;mgeljic&quot;&gt;mgeljic&lt;/a&gt; and &lt;a href=&quot;https://jira.magnolia-cms.com/secure/ViewProfile.jspa?name=nguyen.phung&quot; class=&quot;user-hover&quot; rel=&quot;nguyen.phung&quot;&gt;nguyen.phung&lt;/a&gt;&#160;&lt;/p&gt;</comment>
                            <comment id="302834" author="nguyen.phung" created="Thu, 14 Apr 2022 09:14:52 +0200"  >&lt;h3&gt;&lt;a name=&quot;Furtherdiscovery%3A&quot;&gt;&lt;/a&gt;Further discovery:&lt;/h3&gt;

&lt;p&gt;I&apos;ve validated the setup DX Core and SSO (cloud-6.2 feature branch), technically, what I&apos;ve tried:&lt;/p&gt;
&lt;ul&gt;
	&lt;li&gt;I made some changes in SSO module (based on&#160;&lt;tt&gt;feature/ssoVersion-1.2-cloud-SNAPSHOT&lt;/tt&gt;&#160;branch) - here is the&#160;&lt;a href=&quot;https://git.magnolia-cms.com/projects/ENTERPRISE/repos/magnolia-sso/commits/0bf3cacd25196b9da86c6a5b88620df81ad577c3&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;commit&lt;/a&gt;&#160;and new branch&#160;&lt;tt&gt;sso-for-rest-based-cloud-version&lt;/tt&gt;
	&lt;ul&gt;
		&lt;li&gt;{&lt;tt&gt;}&lt;/tt&gt;Basically, what I did are made the&#160;&lt;tt&gt;SsoSettings&lt;/tt&gt; class to be able config using yaml&lt;/li&gt;
		&lt;li&gt;Unfortunately, I need to change the structure a little bit (different with mircoprofile file) and only support&#160;&lt;tt&gt;fixedMapping&lt;/tt&gt;&#160;(&lt;tt&gt;FixedRoleAuthorizationGenerator&lt;/tt&gt;) because the Map/List in&#160;&lt;tt&gt;fixedMapping&lt;/tt&gt;&#160;and&#160;&lt;tt&gt;groupMappings&lt;/tt&gt; can&#8217;t read from Yaml&lt;/li&gt;
	&lt;/ul&gt;
	&lt;/li&gt;
	&lt;li&gt;Can login using my own Okta account with the setup DX Core 6.2 and SSO cloud with the changes above&lt;/li&gt;
	&lt;li&gt;Get the access token from Okta using HTTP request&lt;/li&gt;
&lt;/ul&gt;


&lt;div class=&quot;code panel&quot; style=&quot;border-width: 1px;&quot;&gt;&lt;div class=&quot;codeContent panelContent&quot;&gt;
&lt;pre class=&quot;code-java&quot;&gt;
curl -v -X POST -H &lt;span class=&quot;code-quote&quot;&gt;&quot;Content-type:application/x-www-form-urlencoded&quot;&lt;/span&gt; &lt;span class=&quot;code-quote&quot;&gt;&quot;https:&lt;span class=&quot;code-comment&quot;&gt;//id-preview.magnolia-cloud.com/oauth2/&lt;span class=&quot;code-keyword&quot;&gt;default&lt;/span&gt;/v1/token&quot;&lt;/span&gt; -d &lt;span class=&quot;code-quote&quot;&gt;&quot;client_id={client_id}&amp;amp;client_secret={client_secret}&amp;amp;grant_type=client_credentials&amp;amp;scope=e2eTestScope&quot;&lt;/span&gt;&lt;/span&gt;&lt;/pre&gt;
&lt;/div&gt;&lt;/div&gt;
&lt;ul&gt;
	&lt;li&gt;&lt;tt&gt;Call Okta introspect endpoint with the access token&lt;/tt&gt;
&lt;div class=&quot;code panel&quot; style=&quot;border-width: 1px;&quot;&gt;&lt;div class=&quot;codeContent panelContent&quot;&gt;
&lt;pre class=&quot;code-java&quot;&gt;
curl -v -X POST -H &lt;span class=&quot;code-quote&quot;&gt;&quot;Content-type:application/x-www-form-urlencoded&quot;&lt;/span&gt; &lt;span class=&quot;code-quote&quot;&gt;&quot;https:&lt;span class=&quot;code-comment&quot;&gt;//id-preview.magnolia-cloud.com/oauth2/&lt;span class=&quot;code-keyword&quot;&gt;default&lt;/span&gt;/v1/introspect&quot;&lt;/span&gt; -d &lt;span class=&quot;code-quote&quot;&gt;&quot;client_id={client_id}&amp;amp;client_secret={client_secret}&amp;amp;token={access_token}&amp;amp;token_type_hint=access_token&quot;&lt;/span&gt; &lt;/span&gt;&lt;/pre&gt;
&lt;/div&gt;&lt;/div&gt;
&lt;p&gt;&lt;tt&gt;Will have a result like this:&lt;/tt&gt;&lt;/p&gt;&lt;/li&gt;
&lt;/ul&gt;


&lt;div class=&quot;code panel&quot; style=&quot;border-width: 1px;&quot;&gt;&lt;div class=&quot;codeContent panelContent&quot;&gt;
&lt;pre class=&quot;code-java&quot;&gt;
{&lt;span class=&quot;code-quote&quot;&gt;&quot;active&quot;&lt;/span&gt;:&lt;span class=&quot;code-keyword&quot;&gt;true&lt;/span&gt;,&lt;span class=&quot;code-quote&quot;&gt;&quot;scope&quot;&lt;/span&gt;:&lt;span class=&quot;code-quote&quot;&gt;&quot;e2eTestScope&quot;&lt;/span&gt;,&lt;span class=&quot;code-quote&quot;&gt;&quot;exp&quot;&lt;/span&gt;:1649840869,&lt;span class=&quot;code-quote&quot;&gt;&quot;iat&quot;&lt;/span&gt;:1649837269,&lt;span class=&quot;code-quote&quot;&gt;&quot;sub&quot;&lt;/span&gt;:&lt;span class=&quot;code-quote&quot;&gt;&quot;0oa1imrwonnyHpIvI0x7&quot;&lt;/span&gt;,&lt;span class=&quot;code-quote&quot;&gt;&quot;aud&quot;&lt;/span&gt;:&lt;span class=&quot;code-quote&quot;&gt;&quot;api:&lt;span class=&quot;code-comment&quot;&gt;//&lt;span class=&quot;code-keyword&quot;&gt;default&lt;/span&gt;&quot;&lt;/span&gt;,&lt;span class=&quot;code-quote&quot;&gt;&quot;iss&quot;&lt;/span&gt;:&lt;span class=&quot;code-quote&quot;&gt;&quot;https://id-preview.magnolia-cloud.com/oauth2/&lt;span class=&quot;code-keyword&quot;&gt;default&lt;/span&gt;&quot;&lt;/span&gt;,&lt;span class=&quot;code-quote&quot;&gt;&quot;jti&quot;&lt;/span&gt;:&lt;span class=&quot;code-quote&quot;&gt;&quot;AT.7hF5qo7CVlbkgz8ZZTSfnF0C_xxMTvEfqHkWcaOogvk&quot;&lt;/span&gt;,&lt;span class=&quot;code-quote&quot;&gt;&quot;token_type&quot;&lt;/span&gt;:&lt;span class=&quot;code-quote&quot;&gt;&quot;Bearer&quot;&lt;/span&gt;,&lt;span class=&quot;code-quote&quot;&gt;&quot;client_id&quot;&lt;/span&gt;:&lt;span class=&quot;code-quote&quot;&gt;&quot;0oa1imrwonnyHpIvI0x7&quot;&lt;/span&gt;} &lt;/span&gt;&lt;/pre&gt;
&lt;/div&gt;&lt;/div&gt;
&lt;ul&gt;
	&lt;li&gt;Setup a simple Delivery endpoint (from this docu) and call to the endpoint with the access token, it works successfully, can view the log debug file:&lt;/li&gt;
&lt;/ul&gt;


&lt;div class=&quot;code panel&quot; style=&quot;border-width: 1px;&quot;&gt;&lt;div class=&quot;codeContent panelContent&quot;&gt;
&lt;pre class=&quot;code-java&quot;&gt;
curl -X GET &lt;span class=&quot;code-quote&quot;&gt;&apos;http:&lt;span class=&quot;code-comment&quot;&gt;//localhost:8080/container/.&lt;span class=&quot;code-keyword&quot;&gt;rest&lt;/span&gt;/delivery/demo-content/travel/about&apos;&lt;/span&gt; -H &lt;span class=&quot;code-quote&quot;&gt;&quot;Authorization: Bearer {access_token}&quot;&lt;/span&gt; &lt;/span&gt;&lt;/pre&gt;
&lt;/div&gt;&lt;/div&gt;
&lt;p&gt;More details and discussion here: &lt;a href=&quot;https://magnolia-cms.slack.com/archives/C033G1YA0AD/p1649837912737319&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;https://magnolia-cms.slack.com/archives/C033G1YA0AD/p1649837912737319&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;&#160;&lt;br/&gt;
&lt;b&gt;In conclusion&lt;/b&gt;, I think this flow and setup is matched with the desired flow which described in &lt;a href=&quot;https://jira.magnolia-cms.com/browse/MGNLSSO-96&quot; class=&quot;external-link&quot; rel=&quot;nofollow&quot;&gt;https://jira.magnolia-cms.com/browse/MGNLSSO-96&lt;/a&gt;).&lt;br/&gt;
The key points are: * Clients have to get the access token from the SSO IdP by their own (by calling to the IdP endpoint)&lt;/p&gt;
&lt;ul&gt;
	&lt;li&gt;Then, they can use the access token to interact with Magnolia Endpoint with the token in header&lt;/li&gt;
	&lt;li&gt;Magnolia SSO authenticate and authorize the request (invoke IdP&#8217;s token introspect endpoint to get the information from the token). then executes endpoint with appropriate permissions.&lt;/li&gt;
&lt;/ul&gt;


&lt;p&gt;&#160;&lt;br/&gt;
Regarding the work to achieve the use case (&lt;a href=&quot;https://jira.magnolia-cms.com/browse/MGNLSSO-96&quot; title=&quot;Non-interactive SSO access to REST endpoints&quot; class=&quot;issue-link&quot; data-issue-key=&quot;MGNLSSO-96&quot;&gt;&lt;del&gt;MGNLSSO-96&lt;/del&gt;&lt;/a&gt;), we can say the functionality is somehow already available in SSO 1.2-cloud-SN branch but it only support microprofile configuration which does not work on DX Core 6.2. IMO, we can have 2 proposed solutions:&lt;/p&gt;
&lt;ol&gt;
	&lt;li&gt;Reuse all the work already done in cloud version, rebase SSO cloud feature branch to master, we will have SSO 3.0 at the end. Ideally, it should support both microprofile and yaml configuration to config SSO module, so the magnolia-core also need to rebase/available in 6.3 (Customers may need to upgrade to 6.3). Ticket &lt;a href=&quot;https://jira.magnolia-cms.com/browse/MGNLSSO-78&quot; class=&quot;external-link&quot; rel=&quot;nofollow&quot;&gt;https://jira.magnolia-cms.com/browse/MGNLSSO-78&lt;/a&gt;&#160;(The ticket does not mention the support yaml config yet)&lt;/li&gt;
	&lt;li&gt;Pick the necessary functionality code from SSO cloud feature branch to master (still SSO 2.x version), the module still works with 6.2&lt;/li&gt;
&lt;/ol&gt;


&lt;p&gt;So, we should have a further discussion to choose the solution (mostly with &lt;a href=&quot;https://jira.magnolia-cms.com/secure/ViewProfile.jspa?name=mgeljic&quot; class=&quot;user-hover&quot; rel=&quot;mgeljic&quot;&gt;mgeljic&lt;/a&gt;)&lt;/p&gt;

&lt;p&gt;cc &lt;a href=&quot;https://jira.magnolia-cms.com/secure/ViewProfile.jspa?name=mrajkovic&quot; class=&quot;user-hover&quot; rel=&quot;mrajkovic&quot;&gt;mrajkovic&lt;/a&gt; , &lt;a href=&quot;https://jira.magnolia-cms.com/secure/ViewProfile.jspa?name=czimmermann&quot; class=&quot;user-hover&quot; rel=&quot;czimmermann&quot;&gt;czimmermann&lt;/a&gt;&#160;&lt;/p&gt;

&lt;p&gt;Thanks&lt;/p&gt;</comment>
                    </comments>
                <issuelinks>
                            <issuelinktype id="10160">
                    <name>Relates</name>
                                            <outwardlinks description="relates to">
                                                        </outwardlinks>
                                                                <inwardlinks description="relates to">
                                        <issuelink>
            <issuekey id="53426">MGNLREST-71</issuekey>
        </issuelink>
            <issuelink>
            <issuekey id="112522">MGNLSSO-132</issuekey>
        </issuelink>
            <issuelink>
            <issuekey id="112520">MGNLSSO-131</issuekey>
        </issuelink>
                            </inwardlinks>
                                    </issuelinktype>
                            <issuelinktype id="10020">
                    <name>dependency</name>
                                                                <inwardlinks description="is depended upon by">
                                                        </inwardlinks>
                                    </issuelinktype>
                    </issuelinks>
                <attachments>
                    </attachments>
                <subtasks>
                            <subtask id="110581">MGNLSSO-109</subtask>
                            <subtask id="110582">MGNLSSO-110</subtask>
                            <subtask id="110583">MGNLSSO-111</subtask>
                            <subtask id="110584">MGNLSSO-112</subtask>
                            <subtask id="110585">MGNLSSO-113</subtask>
                    </subtasks>
                <customfields>
                                                                            <customfield id="customfield_14166" key="com.okapya.jira.checklist:checklist">
                        <customfieldname>Acceptance criteria</customfieldname>
                        <customfieldvalues>
                            
        <checklist>
        <![CDATA[
                            




                
                                    <div class="o-completion" style="display: flex; flex-shrink: 0;"><span  class="aui-lozenge aui-lozenge-complete" style="font-size: 12px; font-weight: normal; display: flex; flex-direction: row; align-items: center;" ><span style="padding-right: 4px; vertical-align: middle;"><svg width="15" height="15" viewBox="0 0 15 15" xmlns="http://www.w3.org/2000/svg" fill="white"><path clip-rule="evenodd" d="m10.41037,3.42544l-7.86501,0c-0.72395,0 -1.31084,0.58688 -1.31084,1.31084l0,7.86508c0,0.7239 0.58689,1.3108 1.31084,1.3108l7.86501,0c0.724,0 1.3109,-0.5869 1.3109,-1.3108l0,-7.86508c0,-0.72396 -0.5869,-1.31084 -1.3109,-1.31084zm-7.86501,-0.65542c-1.08593,0 -1.96626,0.88032 -1.96626,1.96626l0,7.86508c0,1.0859 0.88033,1.9662 1.96626,1.9662l7.86501,0c1.086,0 1.9663,-0.8803 1.9663,-1.9662l0,-7.86508c0,-1.08594 -0.8803,-1.96626 -1.9663,-1.96626l-7.86501,0z" fill-rule="evenodd"/><path d="m5.09049,10.18526l-1.82767,-1.82766l-0.78479,0.78479l2.61246,2.61246l5.38758,-5.38754l-0.78483,-0.78479l-4.60275,4.60274z"/></svg></span><span>Empty</span></span></div>
                        ]]>
    </checklist>


                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                <customfield id="customfield_10111" key="com.atlassian.jira.toolkit:reporterdomain">
                        <customfieldname>Company</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>magnolia-cms.com</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                <customfield id="customfield_10031" key="com.atlassian.jira.ext.charting:firstresponsedate">
                        <customfieldname>Date of First Response</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>Thu, 3 Mar 2022 07:36:21 +0100</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_12730" key="com.atlassian.jira.plugins.jira-development-integration-plugin:devsummary">
                        <customfieldname>Development</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_14151" key="com.atlassian.jira.toolkit:message">
                        <customfieldname>Docu info</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                                            <customfield id="customfield_12130" key="com.atlassian.jira.plugin.system.customfieldtypes:multicheckboxes">
                        <customfieldname>Documentation update required</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue key="13300"><![CDATA[Yes]]></customfieldvalue>
    
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                    <customfield id="customfield_10246" key="com.pyxis.greenhopper.jira:gh-epic-link">
                        <customfieldname>Epic Link</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>CLOUD-1719</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_10061" key="com.atlassian.jira.toolkit:lastusercommented">
                        <customfieldname>Last comm is not jira-dev</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>true</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10071" key="com.atlassian.jira.toolkit:lastupdaterorcommenter">
                        <customfieldname>Last participant</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>czimmermann</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_13136" key="com.atlassian.jira.toolkit:LastCommentDate">
                        <customfieldname>Last public comment date</customfieldname>
                        <customfieldvalues>
                            1 year, 43 weeks, 4 days ago
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                            <customfield id="customfield_10020" key="com.atlassian.jira.toolkit:attachments">
                        <customfieldname>Number of attachments</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>0.0</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10150" key="com.atlassian.jira.toolkit:comments">
                        <customfieldname>Number of comments</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>5.0</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        <customfield id="customfield_10011" key="com.atlassian.jira.toolkit:participants">
                        <customfieldname>Participants</customfieldname>
                        <customfieldvalues>
                                        <customfieldvalue>czimmermann</customfieldvalue>
            <customfieldvalue>mrajkovic</customfieldvalue>
            <customfieldvalue>mgeljic</customfieldvalue>
            <customfieldvalue>nguyen.phung</customfieldvalue>
    
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                <customfield id="customfield_10833" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>0|hzzufx:w9r6w</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10244" key="com.pyxis.greenhopper.jira:gh-global-rank">
                        <customfieldname>Rank (Obsolete)</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>9223372036854775807</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                                                        <customfield id="customfield_10220" key="com.atlassian.jira.plugin.system.customfieldtypes:multicheckboxes">
                        <customfieldname>Release notes required</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue key="10490"><![CDATA[Yes]]></customfieldvalue>
    
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                        <customfield id="customfield_10245" key="com.pyxis.greenhopper.jira:gh-sprint">
                        <customfieldname>Sprint</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue id="1606">AdminX 9</customfieldvalue>
    <customfieldvalue id="1638">AdminX 10</customfieldvalue>
    <customfieldvalue id="1646">AdminX 11</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                            <customfield id="customfield_10242" key="com.atlassian.jira.plugin.system.customfieldtypes:float">
                        <customfieldname>Story Points</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>8.0</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                <customfield id="customfield_14167" key="com.okapya.jira.checklist:checklist">
                        <customfieldname>Task DoR</customfieldname>
                        <customfieldvalues>
                            
        <checklist>
        <![CDATA[
                            




                
                                    <div class="o-completion" style="display: flex; flex-shrink: 0;"><span  class="aui-lozenge aui-lozenge-complete" style="font-size: 12px; font-weight: normal; display: flex; flex-direction: row; align-items: center;" ><span style="padding-right: 4px; vertical-align: middle;"><svg width="15" height="15" viewBox="0 0 15 15" xmlns="http://www.w3.org/2000/svg" fill="white"><path clip-rule="evenodd" d="m10.41037,3.42544l-7.86501,0c-0.72395,0 -1.31084,0.58688 -1.31084,1.31084l0,7.86508c0,0.7239 0.58689,1.3108 1.31084,1.3108l7.86501,0c0.724,0 1.3109,-0.5869 1.3109,-1.3108l0,-7.86508c0,-0.72396 -0.5869,-1.31084 -1.3109,-1.31084zm-7.86501,-0.65542c-1.08593,0 -1.96626,0.88032 -1.96626,1.96626l0,7.86508c0,1.0859 0.88033,1.9662 1.96626,1.9662l7.86501,0c1.086,0 1.9663,-0.8803 1.9663,-1.9662l0,-7.86508c0,-1.08594 -0.8803,-1.96626 -1.9663,-1.96626l-7.86501,0z" fill-rule="evenodd"/><path d="m5.09049,10.18526l-1.82767,-1.82766l-0.78479,0.78479l2.61246,2.61246l5.38758,-5.38754l-0.78483,-0.78479l-4.60275,4.60274z"/></svg></span><span>Empty</span></span></div>
                        ]]>
    </checklist>


                        </customfieldvalues>
                    </customfield>
                                                                                            <customfield id="customfield_12430" key="com.atlassian.teams:rm-teams-custom-field-team">
                        <customfieldname>Team</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue><![CDATA[24]]></customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                            <customfield id="customfield_14145" key="com.intenso.jira.issue-templates:issue-templates-customfield">
                        <customfieldname>Template</customfieldname>
                        <customfieldvalues>
                            


                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                            <customfield id="customfield_15131" key="com.onresolve.jira.groovy.groovyrunner:scripted-field">
                        <customfieldname>Time in Discovery</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>1055</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10032" key="com.atlassian.jira.ext.charting:timeinstatus">
                        <customfieldname>Time in Status</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                            <customfield id="customfield_13933" key="com.atlassian.jira.plugin.system.customfieldtypes:select">
                        <customfieldname>Urgency (resolution)</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue key="15724"><![CDATA[Normal]]></customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                </customfields>
    </item>
</channel>
</rss>