Keycloak SSO/IAM integration for Magnolia 5.5, 5.6
This module delegates authentication - in addition to Magnolias builtin authentication mechanisms - to Keycloak.
This module delegates authentication - in addition to Magnolias builtin authentication mechanisms - to Keycloak.
Contributions welcome!
- create a client in Keycloak with Direct Access Grants enabled
- export the configuration in Keycloak OIDC JSON format from the Installation tab
- save the configuration file into your projects classpath, i.e.
src/main/resources/keycloak.json - configure
src/main/webapp/WEB-INF/config/jaas.configto include the KeycloakAuthenticationModule:
magnolia {
info.magnolia.jaas.sp.jcr.JCRAuthenticationModule optional realm=system;
org.sevensource.magnolia.keycloak.security.KeycloakLoginModuleAdapter requisite realm=external skip_on_previous_success=true;
info.magnolia.jaas.sp.jcr.JCRAuthorizationModule required;
};
- for further JAAS configuration options, see
- http://docs.oracle.com/javase/8/docs/api/javax/security/auth/login/Configuration.html
- https://documentation.magnolia-cms.com/display/DOCS/NTLM+Connector+module
- https://documentation.magnolia-cms.com/display/DOCS/LDAP+Connector+module
- https://documentation.magnolia-cms.com/display/DOCS/CAS+module
- http://docs.oracle.com/javase/8/docs/technotes/guides/security/jaas/JAASRefGuide.html
All additional configuration is stored in Magnolias JCR.
- login into magnolia using the
superuseraccount - go into Configurations App and navigate to
/modules/keycloak-security/configand add your keycloakConfigFile, i.e.classpath:keycloak.json - the module features a RoleMapper, which maps Keycloak roles to Magnolia roles. It is configured in
/modules/keycloak-security/config/roleMapper. - the module installs a UserManager into
/server/security/userManagers/externalwhich can be used as an extension point for customisation