Moqui SSO now available

We’re happy to announce the availablity of Moqui SSO. This new feature is for anyone looking to add new login options to Moqui. The new Moqui SSO component supports the following protocols:

  1. OAuth
  2. OpenID Connect
  3. SAML

How to enable Moqui SSO?
You can enable SSO by following these 2 simple steps:

  1. Get the SSO component
./gradlew getComponent -Pcomponent=moqui-sso
  1. Load the seed data (pick the flow you wish to enable):
<entity-facade-xml>
	<moqui.security.sso.AuthFlow authFlowId="Keycloak" authFlowTypeEnumId="AftOidc" description="Keycloak" defaultUserGroupId="ALL_USERS" sequenceNum="1" iconName="security">
		<oidc clientTypeEnumId="OctKeycloak" clientId="XXXXXX" secret="XXXXXX" realm="XXXXXX" baseUri="XXXXXX" preferredJwsAlgorithmEnumId="OjaRS512"/>
		<roleMaps roleName="ADMIN" userGroupId="ADMIN" roleTypeId="Employee"/>
		<fieldMaps ruleSeqId="01" srcFieldName="name" dstFieldName="userFullName"/>
		<fieldMaps ruleSeqId="02" srcFieldName="given_name" dstFieldName="firstName"/>
		<fieldMaps ruleSeqId="03" srcFieldName="family_name" dstFieldName="lastName"/>
		<fieldMaps ruleSeqId="04" srcFieldName="email" dstFieldName="emailAddress"/>
	</moqui.security.sso.AuthFlow>

	<moqui.security.sso.AuthFlow authFlowId="GitHub" authFlowTypeEnumId="AftOauth" description="GitHub" defaultUserGroupId="ALL_USERS" sequenceNum="2" iconName="globe">
		<oauth clientTypeEnumId="OctGitHub" clientId="XXXXXX" secret="XXXXXX"/>
		<fieldMaps ruleSeqId="01" srcFieldName="name" dstFieldName="userFullName"/>
		<fieldMaps ruleSeqId="02" srcFieldName="login" dstFieldName="emailAddress" dstFieldExpression="login + '@moqui.org'"/>
		<fieldMaps ruleSeqId="03" srcFieldName="name" dstFieldName="firstName" dstFieldExpression="name.split(' ').length > 2 ? name.split(' ')[0] + ' ' + name.split(' ')[1] : name.split(' ')[0]"/>
		<fieldMaps ruleSeqId="04" srcFieldName="name" dstFieldName="lastName" dstFieldExpression="name.replaceFirst(name.split(' ').length > 2 ? name.split(' ')[0] + ' ' + name.split(' ')[1] : name.split(' ')[0], '').trim()"/>
	</moqui.security.sso.AuthFlow>

	<moqui.security.sso.AuthFlow authFlowId="Duo" authFlowTypeEnumId="AftSaml" description="Duo" defaultUserGroupId="ALL_USERS" sequenceNum="3" iconName="globe">
		<saml keystoreLocation="XXXXXX" keystorePassword="XXXXXX" privateKeyPassword="XXXXXX" serviceProviderEntityId="XXXXXX" identityProviderMetadataLocation="XXXXXX"/>
		<fieldMaps ruleSeqId="01" srcFieldName="Name" dstFieldName="userFullName" dstFieldTypeEnumId="DftString" dstFieldExpression="Name.get(0)"/>
		<fieldMaps ruleSeqId="02" srcFieldName="email" dstFieldName="emailAddress" dstFieldTypeEnumId="DftString"/>
		<fieldMaps ruleSeqId="03" srcFieldName="first_name" dstFieldName="firstName" dstFieldTypeEnumId="DftString"/>
		<fieldMaps ruleSeqId="04" srcFieldName="last_name" dstFieldName="lastName" dstFieldTypeEnumId="DftString"/>
	</moqui.security.sso.AuthFlow>
</entity-facade-xml>

Feel free to reach out to me with feedback or comments!

5 Likes

Great news, thanks. We will be checking it out in the next weeks.

1 Like

Awsome!Thanks for contribution!

1 Like

This is great. Thanks for doing this Ayman!

I was able to set it up with GitHub. For those that are interested in how, here’s a couple steps:

Setup Note: Before following Ayman’s steps ahead, you’ll need to update your git repo with the latest moqui-framework, and moqui-runtime. This will add the moqui-sso component to addons.xml in moqui-framework, and the necessary changes to moqui-runtime (i.e. the Login screen)

This is for testing locally

  1. Boot up moqui at http://localhost:8080 as usual for development
  2. Follow this Github tutorial to create an OAuth App: Creating an OAuth app - GitHub Docs
  3. Go to http://localhost:8080/qapps/tools/Entity/DataImport and import the following changed data (the changed data handles the scenario where the name is null):

Note: make sure that you use the client and secret from github from the tutorial in step 2 (see screenshot)

             <moqui.security.sso.AuthFlow defaultUserGroupId="ALL_USERS" sequenceNum="2" authFlowId="GitHub" iconName="globe" authFlowTypeEnumId="AftOauth" description="GitHub">
                <oauth clientId="ExampleClientId" secret="ExampleSecret" clientTypeEnumId="OctGitHub"/>
                <fieldMaps ruleSeqId="01" dstFieldName="userFullName" srcFieldName="name"/>
                <fieldMaps ruleSeqId="02" dstFieldName="emailAddress" srcFieldName="login" dstFieldExpression="login + '@moqui.org'"/>
                <fieldMaps ruleSeqId="03" dstFieldName="firstName" srcFieldName="name" dstFieldExpression="name?name.split(' ').length > 2 ? name.split(' ')[0] + ' ' + name.split(' ')[1] : name.split(' ')[0]:login"/>
                <fieldMaps ruleSeqId="04" dstFieldName="lastName" srcFieldName="name" dstFieldExpression="name?name.replaceFirst(name.split(' ').length > 2 ? name.split(' ')[0] + ' ' + name.split(' ')[1] : name.split(' ')[0], '').trim():login"/>
            </moqui.security.sso.AuthFlow>


4. Then go to http://localhost:8080/Login#sso and click Github

Note: For @aabiabdallah and those who try this out on a chromium browser. I was able to have it work just fine with firefox. However on a chromium browser, the 303 redirect for the /sso/Login endpoint form submit wasn’t allowed (see error below). Can someone please reproduce this?

Refused to send form data to 'http://localhost:8080/sso/login' because it violates the following Content Security Policy directive: "form-action 'self'".
1 Like