Uninstalling SSO

You can manually uninstall the SSO module from your Magnolia instances by following the steps on this page. They’re intended for administrators who want to stop using an Open ID Connect (OIDC) IAM instance and return to the default Magnolia login authentication.

Prerequisites for the default Magnolia login

Before you can remove the SSO configuration, ensure that the JCR login is set up so that admins can log in successfully. In particular, review the following points in your setup.

  • Add the default JCR authentication step to the jaas.config file. Both entries below must be in the file. Restart your instance after the configuration file is updated.

    WEB-INF/config/jaas.config
    magnolia { (1)
  info.magnolia.jaas.sp.jcr.JCRAuthenticationModule requisite;
  info.magnolia.jaas.sp.jcr.JCRAuthorizationModule required;
};

sso-authentication { (2)
  info.magnolia.sso.jaas.SsoAuthenticationModule requisite;
  info.magnolia.jaas.sp.jcr.JCRAuthorizationModule required;
};
    1 This is the default JCR authentication step.
    2 This is the SSO authentication entry.

  • Move the form security callback node before all SSO callbacks including sso, ssoLocationFragmentRedirect, and ssoFallback.

    /server/filters/securityCallback/
    Node name Value

    📁 securityCallback

         ⬩ class

    info.magnolia.cms.security.SecurityCallbackFilter

         ⸬ clientCallbacks

             ⸬ form

                 ⬩ class

    info.magnolia.cms.security.auth.callback.FormClientCallback

                 ⬩ loginForm

    /defaultMagnoliaLoginForm/login.html

             ⸬ ssoFallback

                 ⬩ class

    info.magnolia.cms.security.auth.callback.FormClientCallback

                 ⬩ loginForm

    /defaultMagnoliaLoginForm/login.html

                 ⸬ originalUrlPattern

                     ⬩ patternString

    /.magnolia/jcrlogin

                     ⬩ class

    info.magnolia.cms.util.SimpleUrlPattern

                 ⬩ enabled

    true

             ⸬ ssoLocationFragmentRedirect

                 ⬩ class

    info.magnolia.sso.LocationFragmentRedirectClientCallback

                 ⸬ originalUrlPattern

                     ⬩ patternString

    /.magnolia/admincentral*

                     ⬩ class

    info.magnolia.cms.util.SimpleUrlPattern

             ⸬ sso

                 ⬩ class

    info.magnolia.sso.UserInitiatedRedirectClientCallback

    The Magnolia default form login (JCR user login) is the first callback node under securityCallback and has the highest priority.

  • Ensure you have an enabled JCR user with superuser permissions, and then try to log in. If login is successful, proceed to remove security callbacks, filter and other configurations in the next section.

Remove the SSO login configuration

You should only remove the SSO login configuration after successfully preparing the default JCR login.

  1. Revert filter settings by removing the sso, ssoLocationFragmentRedirect, and ssoFallback security callback filters.

    /server/filters/securityCallback/
    Node name Value

    📁 securityCallback

         ⬩ class

    info.magnolia.cms.security.SecurityCallbackFilter

         ⸬ clientCallbacks

             ⸬ form

                 ⬩ class

    info.magnolia.cms.security.auth.callback.FormClientCallback

                 ⬩ loginForm

    /defaultMagnoliaLoginForm/login.html

             ⸬ ssoFallback

                 ⬩ class

    info.magnolia.cms.security.auth.callback.FormClientCallback

                 ⬩ loginForm

    /defaultMagnoliaLoginForm/login.html

                 ⸬ originalUrlPattern

                     ⬩ patternString

    /.magnolia/jcrlogin

                     ⬩ class

    info.magnolia.cms.util.SimpleUrlPattern

                 ⬩ enabled

    true

             ⸬ ssoLocationFragmentRedirect

                 ⬩ class

    info.magnolia.sso.LocationFragmentRedirectClientCallback

                 ⸬ originalUrlPattern

                     ⬩ patternString

    /.magnolia/admincentral*

                     ⬩ class

    info.magnolia.cms.util.SimpleUrlPattern

             ⸬ sso

                 ⬩ class

    info.magnolia.sso.UserInitiatedRedirectClientCallback

    Remove the filters installed by the SSO module.

  2. Additionally, remove the following bootstrapped settings.

    1. Delete the sso-authentication node and its subnodes under the userManagers node.

      /server/security/userManagers
      Node name Value

      ⸬ userManagers

           ⸬ sso-authentication

               ⬩ class

      info.magnolia.sso.SsoUserManager

    2. Remove the sso-redirect-uri-authorizer role on the Roles tab. This also removes any references automatically.

  3. Remove the SSO environment-specific config.yaml file added during installation.

  4. Finally, remove the SSO dependency from your project, redeploy your updated webapp, and restart your instances.

    <dependency>
  <groupId>info.magnolia.sso</groupId>
  <artifactId>magnolia-sso</artifactId>
  <version>4.0.2</version>
</dependency>
    When redeploying your updated webapp, follow the guidelines on backing up and restoring instances for production environments.
Feedback

DX Core

×

Location

This widget lets you know where you are on the docs site.

You are currently perusing through the SSO module docs.

Main doc sections

DX Core Headless PaaS Legacy Cloud Incubator modules