SSO module changelog

The changelog gives you an overview of the changes made to the SSO module at each release.

This changelog covers the 4.0.x branch of the SSO module. For the 3.1.x changelog, see here.

4.0.1

Released on October 18, 2024

This release is primarily a bug-fixing release, including a new callbackUrl resolver to enable protocol handling and improve callback resolution in proxy and load balancer setups.

Ticket Type Description

MGNLSSO-365

HTTPS gets converted to HTTP on redirect_uri when using SSO 4.0.0.


See callbackUrl for the new protocol and X-Forwarded header features introduced with the custom resolver MagnoliaPac4jUrlResolve.

MGNLSSO-366

UserInitiatedRedirectClientCallback logs DEBUG log message as INFO.

MGNLSSO-369

SSO module version 4.0.0 forces adding client_name=OidcClient as a callback URL, which blocks current systems.

client_name is only added to the callback URL if you use multiple OIDC clients.

MGNLSSO-371

Put the path config property back and deprecate it so that errors aren’t thrown for TransformationProblem.SeverityType.DEPRECATED or WARNING issues.

4.0.0

Released on September 4, 2024

This release lets you connect with multiple identity providers and ensures access to your Magnolia instance by allowing your SSO system to fall back to Magnolia users stored in the JCR when required.

Ticket Type Description

MGNLSSO-84

Ability to use default Magnolia login as well as SSO login. See Configuring a fallback login.

MGNLSSO-86

Add support for authorisation of web pages.

MGNLSSO-320

Introduce a new SsoLoginHandler for delegating requests to Pac4j.

MGNLSSO-348

Move callbackUrl and postLogoutRedirectUri properties to OIDC client configuration.

MGNLSSO-347

Redirect to the JCR login page when JCR users log out.

MGNLSSO-349

Support multiple OIDC clients.

MGNLSSO-353

Auto-disable SSO client callback and login handler if the SSO configuration file is missing.

MGNLSSO-354

Create a way to get the full name of a user given its ID.

This update also removes obsolete Magnolia 5 favorites from the profiles workspace (unused since Magnolia 6.0). Specifically, the node types favourite and favouriteGroup can’t be bootstrapped to your profiles workspace anymore. If they do exist, they are removed automatically during the upgrade.

If you upgraded from Magnolia 6.2.43 or a later 6.2 release, you must manually add a SearchIndex entry into the workspace.xml file (repositories/magnolia/workspaces/profiles). After doing so, remove the index folder in the same location if it exists.


See Configuration changes for the full SearchIndex entry that you must add.

MGNLSSO-357

Support multiple domains for the callbackUrl property.

Upgrading from SSO 3.1.x to 4.0.0

SSO 4.0.x module introduces several important updates and requirements.

Each section below details specific actions and modifications needed to ensure a smooth upgrade and continued functionality.

Make sure you test the upgraded module on a development environment before proceeding.

Compatibility

SSO 4.0.x is compatible with Magnolia CMS 6.2.44 and later, including Magnolia CMS 6.3.x. When you upgrade to SSO module 4.0.0, you must also upgrade Magnolia to v6.2.44 or later.

Magnolia 6.2.44 brings required changes (MAGNOLIA-9200) to the info.magnolia.cms.security.auth.login.LoginHandler interface and centralizes the login and logout logic into the handlers, which are configured under info.magnolia.cms.security.LogoutFilter.

Configuration changes

SSO configuration is fully compatible with version 3.1.x since version 4.0.1.

If you use SSO 4.0.0, you must remove the path property.

Additionally, indexing is disabled for the profiles workspace from Magnolia 6.2.43 and later 6.2 releases.

You must add the following entry to the workspace.xml file:

  • SearchIndex

    Click here to see the XML for the SearchIndex entry.

    <SearchIndex class="info.magnolia.jackrabbit.lucene.SearchIndex">
<param name="path" value="${wsp.home}/index"/>
<!--  SearchIndex will get the indexing configuration from the classpath, if not found in the workspace home  -->
<param name="indexingConfiguration" value="/info/magnolia/jackrabbit/indexing_configuration_${wsp.name}.xml"/>
<param name="useCompoundFile" value="true"/>
<param name="minMergeDocs" value="100"/>
<param name="volatileIdleTime" value="3"/>
<param name="maxMergeDocs" value="100000"/>
<param name="mergeFactor" value="10"/>
<param name="maxFieldLength" value="10000"/>
<param name="bufferSize" value="10"/>
<param name="cacheSize" value="1000"/>
<param name="forceConsistencyCheck" value="false"/>
<param name="autoRepair" value="true"/>
<param name="queryClass" value="org.apache.jackrabbit.core.query.QueryImpl"/>
<param name="respectDocumentOrder" value="true"/>
<param name="resultFetchSize" value="100"/>
<param name="extractorPoolSize" value="3"/>
<param name="extractorTimeout" value="100"/>
<param name="extractorBackLogSize" value="100"/>
<!--  needed to highlight the searched term  -->
<param name="supportHighlighting" value="true"/>
<!--  custom provider for getting an HTML excerpt in a query result with rep:excerpt()  -->
<param name="excerptProviderClass" value="info.magnolia.jackrabbit.lucene.SearchHTMLExcerpt"/>
</SearchIndex>

  • After doing so, remove the index folder in the same location (repositories/magnolia/workspaces/profiles) if it exists.

Removed classes

SSO 4.0.0 removes the following classes:

  • info.magnolia.sso.SsoLoginFilter

  • info.magnolia.sso.SsoLogoutFilter

If you have a custom implementation based on these classes, you must change it.

Enabling the JCR-based fallback login

If you plan to make use of the optional fallback login functionality provided in SSO 4.0.0, we recommend updating your JAAS configuration during the upgrade process because making changes to your jaas.config file requires you to restart the instance.

While updating the jaas.config file is not necessary for SSO to function correctly, it’s required to enable the JCR-based fallback functionality.

For SSO Login Extension module users

The sso-login-extension incubator module can’t be installed with SSO 4.0.0 and later. You must adapt your configuration to replace the functionality previously offered by the sso-login-extension incubator module with the equivalent functionality in SSO 4.0.0.

  1. Uninstall the sso-login-extension module.

  2. Edit your jaas.config file so that it looks like this:

    sso-authentication {
  info.magnolia.sso.jaas.SsoAuthenticationModule requisite;
  info.magnolia.jaas.sp.jcr.JCRAuthorizationModule required;
};

  3. Revert your configuration to the following: Since it is a change in the configuration of the login, you need to use a groovy script or do it in rescue mode.

    /server/filters/login/class = info.magnolia.cms.security.auth.login.LoginFilter (1)
/server/filters/securityCallback/clientCallbacks/magnolia-sso/class = info.magnolia.sso.UserInitiatedRedirectClientCallback
    1 If you’re already using the 4.x+ of the SSO module, this value has the info.magnolia.cms.security.auth.login.LoginFilter class. However, if you’re on version 3.x of the SSO module, you must manually set the class to info.magnolia.sso.SsoLoginFilter when uninstalling to ensure the logging process continues smoothly.

  4. Remove the following dependency from your project:

    <dependency>
  <groupId>info.magnolia.sso</groupId>
  <artifactId>sso-login-extension</artifactId>
  <version>1.0.2</version>
</dependency>

  5. Install SSO module 4.0.x.

  6. Reconfigure the SSO module to achieve the same behavior as before.

    The sso-login-extension incubator module uses a JCR configuration to define the paths to be protected on login. In contrast, the SSO module uses roles that deny access to a specific part of the site, effectively protecting them during login.

Feedback

DX Core

×

Location

This widget lets you know where you are on the docs site.

You are currently perusing through the SSO module docs.

Main doc sections

DX Core Headless PaaS Legacy Cloud Incubator modules