larsolino

/**
 * options for JCRAuthenticationModule module:
 *   realm: to restrict the login to a certain realm
 *   use_realm_callback: to allow the GUI to pass the realm to login into
 *   skip_on_previous_success: if true the login is scipped if a former module proceeded a successfull login
 *
 * example:
 *    info.magnolia.jaas.sp.jcr.JCRAuthenticationModule requisite realm=public;
 *    info.magnolia.jaas.sp.jcr.JCRAuthenticationModule requisite realm=admin skip_on_previous_success=true;
 */

larsolino

'keycloakOpenIDConnectMagnoliaAdminCentral':
  'accessTokenEndpoint': http://localhost:8180/auth/realms/Magnolia%20AdminCentral/protocol/openid-connect/token
  'authorizationBaseUrl': http://localhost:8180/auth/realms/Magnolia%20AdminCentral/protocol/openid-connect/auth
  'callbackURL': http://localhost:8080/magnoliaAuthor/.auth
  'clientId': mgnl-admincentral
  'clientSecret': 273263dd-4229-472d-a897-0083ed37ba01
  'endSessionEndpoint': http://localhost:8180/auth/realms/Magnolia%20AdminCentral/protocol/openid-connect/logout
  'externalGroupsManagement': true
  'openIdAccessTokenAttributeName': openIdToken
  'openIdEnabled': true

larsolino

'superuser':
  'description': Superuser Group for SSO.
  'jcr:primaryType': mgnl:group
  'jcr:uuid': bd94e13f-12b7-47d1-a341-42a442d409d5
  'mgnl:created': 2019-07-23T16:14:34.779+02:00
  'mgnl:createdBy': superuser
  'mgnl:lastModified': 2020-01-17T16:09:14.515+01:00
  'mgnl:lastModifiedBy': superuser
  'title': superuser
  'groups':

larsolino

'admincentral-sso':
  'authenticationServiceName': keycloakOpenIDConnectMagnoliaAdminCentral
  'class': info.magnolia.cms.security.auth.callback.SSOAuthenticationRedirectCallback
  'originalUrlPattern':
    'class': info.magnolia.cms.util.SimpleUrlPattern
    'patternString': /.magnolia/admincentral

larsolino

'virtualUriMappings':
  'jcr:primaryType': mgnl:content
  'ssologin':
    'class': info.magnolia.multisite.mapping.MultiSiteRootVirtualUriMapping
    'fromUri': /sso
    'toUri': redirect:/.magnolia/admincentral

larsolino

Rancher v2.X KeyCloak Authentication Backend Configuration

Ranchers official documentation about how to configure the Rancher <> KeyCloak setup is fine but definitely not sufficient to successfully configure it (https://rancher.com/docs/rancher/v2.x/en/admin-settings/authentication/keycloak/). That's the reason why here every single required step is documented down here.

KeyCloak Configuration

I simply use the default master realm for the Rancher client. Nevertheless, it would sometimes absolutely make sense to use a custom KeyCloak realm.

1. Login as admin on https://keycloak.example.com/. Important: It's crucial that in KeyCloak the same username exists as you use as admin user on Rancher. Since I just use the admin account in this guide, this prerequisite is already achieved.
2. Create a new client under https://keycloak.example.com/auth/admin/master/console/#/realms/master/clients
   • Client ID: https://rancher.example.com/v1-saml/keycloak/saml/metadata