Keycloak is a powerful identity and access management solution that supports OpenID Connect. The following text provides instructions on how to configure Keycloak for use with Magnolia SSO. The OIDC-based identity provider requires upfront information about your Magnolia instance, as otherwise any client could attempt to log in with a user account managed by your personal Keycloak server.

It is assumed that you have a running Keycloak instance on localhost port 8180, and that Magnolia is running on localhost port 8080. The deployment context for Magnolia is ‘magnoliaAuthor.’ Magnolias full URL is:

http://localhost:8080/magnoliaAuthor

🚀 Log in to the Keycloak Admin Console

Start by logging into your Keycloak admin console. The URL typically looks like this:

http://<your-domain>/auth/

or

http://localhost:8180/auth

After you log in, select the realm where you want to create the OIDC client.

Select the realm

💡 The example client will be created in the mgnl realm of Keycloak. A realm in Keycloak is like a tenant or workspace. Choose the realm you need but remember to adjust the following settings.

🔧 Create a new Keycloak OIDC client

  1. In the left-hand menu, navigate to Clients.
  2. Click Create client.
Create a new client

General settings

General client settings

Click Next.

Capability config

On the capability config screen, turn Client authentication ON. This will provide us with a client secret, which will be required for Magnolia SSO configuration. I also recommend turning off direct access grants unless you absolutely require them.

Capability config

Click Next.

Login settings

Adjust the following parameters:

  • Root URL: The root URL provides the location and context of your application (optional).
  • Valid redirect URIs: Redirect URIs are essential for OIDC, like the access type. The redirect URI may also be referred to as a callback URL. One can have either one or multiple. The redirect URI specifies the path that the identity provider will use to call back after your application initiated the first exchange. It is a security feature that only allows for predefined paths to be used for authentication. The wildcard path “http://localhost:8080/magnoliaAuthor/*” is ideal for getting started, but it’s recommended to be more precise in productive environments and only specify one or more URLs without a wildcard.
  • Valid post logout redirect URIs: Define where users can be redirected after they log out of an application. These URIs ensure that after a successful logout, users are redirected only to trusted, predefined URIs, preventing potential security risks like open redirects to malicious sites. They can be used to improve user experience by directing users to a relevant page after logout (e.g., a login page or homepage or portal).
Login settings

⚠️ Important about redirect URIs is that you have to specify them in the configuration of the Magnolia SSO module. The value specified on the Magnolia side must match the value specified in the client configuration of the identity provider.

Click Save.

⚙️ Fetch the client secret

Switch to the Credentials tab.

Copy the value for Client secret and paste it into a plain text editor. You will require this information for Magnolia SSO configuration.

Client secret

🔬 Next steps

Test your configuration

You should test your client with an OIDC tool like Postman before integrating it into your application. It is important to test the configuration outside of Magnolia DXP (or any other client) to ensure that potential problems are not related to the general OpenID Connect client configuration.

See Postman and the Keycloak UserInfo endpoint about testing.

Magnolia SSO integration

Happy coding! 🎉