Key Concepts

Morgana is a single sign-on solution for web apps and RESTful web services. The goal of Morgana is to make security simple so that it is easy for application developers to secure the apps and services they have deployed in their organization. Security features that developers normally have to write for themselves are provided out of the box and are easily tailorable to the individual requirements of your organization. Morgana provides customizable user interfaces for login, registration, administration, and account management. You can also use Morgana as an integration platform to hook it into existing LDAP and Active Directory services. You can also delegate authentication to third-party identity providers like Meta and Google.

Features

Morgana provides the following features:

  • Single-Sign-On and Single-Sign Out for browser applications

  • OpenID Connect support

  • OAuth 2.0 support

  • SAML support

  • Identity Brokering - Authenticate with external OpenID Connect or SAML Identity Providers

  • Social Login - Enable login with Google, GitHub, Meta, Twitter, and others

  • User Federation - Sync users from LDAP and Active Directory servers.

  • Kerberos bridge - Automatically authenticate users that are logged in to a Kerberos server.

  • Admin Console for central management of users, roles, role mappings, clients, and configuration.

  • Account Management console that allows users to centrally manage their accounts.

  • Theme support - Customize all user-acing pages to integrate with your applications and branding.

  • Two-factor Authentication - Support for TOTP/HOTP via Google Authenticator or FreeOTP.

  • Login flows - optional user self-registration, recover password, verify email, require password update, etc.

  • Session management - Admins and users themselves can view and manage user sessions

  • Token Mappers - Map user attributes, roles, etc. how you want into tokens and statements

  • Not-before revocation policies per realm, application, and user.

  • CORS support - Client adapters have built-in support for CORS.

  • Service Provider Interfaces (SPI) - A number of SPIs to enable customizing various aspects of the server. Authentication flows, user federation providers, protocol mappers and many more.

  • Client adapters for JavaScript applications, WildFly, JBoss EAP, Tomcat, Jetty, Spring, etc.

  • Supports any platform/language that has an OpenID Connect Relying Party library of SAML 2.0 Service Provider library.

Basic Morgana Operations

Morgana is a separate server that you manage on your network. Applications are configured to point to and be secured by this server. Morgana uses open protocol standards like OpenID Connect or SAML 2.0 to secure your applications. Browser applications redirect a user’s browser from the application to the Morgana authentication server where they enter their credentials. This redirection is important because users are completely isolated from applications and applications never see a user’s credentials. Applications instead are given an identity token or assertion that is cryptographically signed. These tokens can have identity information like username, address, email, and other profile data. They can also hold permission data so that applications can make authorization decisions. These tokens can also be used to make secure invocations on REST-based services.

Core Concepts and Terms

Consider these core concepts and terms before attempting to sue Morgana to secure your web applications and REST services.

Users

Users are entities that are able to log into your system. They can have attributes associated with themselves like email, username, address, phone number, and birthday. They can be assigned group membership and have specific roles assigned to them.

Authentication

The process of identifying and validating a user.

Authorization

The process of granting access to a user.

Credentials

Credentials are pieces of data that Morgana users to verify the identity of a user. Some examples are passwords, one-time passwords, digital certificates, or even fingerprints.

Roles

Roles identify a type or category of user. Admin, User, Manager, and Employee are all typical roles that may exist in an organization. Applications often assign access and permissions to specific roles rather than individual users as dealing with users can be too fine-grained and hard to manage.

User Role Mapping

A user role mapping defines a mapping between a role and a user. A user can be associated with zero or more roles. This role mapping information can be encapsulated into tokens and assertions so that applications can decide access permissions on various resources they manage.

Composite Roles

A composite role is a role that can be associated with other roles. For example, a superuser composite role could be associated with the sales-admin and order-entry-admin roles. If a user is mapped to the superuser role they also inherit the sales-admin and order-entry-admin roles.

Groups

Groups manage groups of users. Attributes can be defined for a group. You can map roles to a group as well. Users that become members of a group inherit the attributes and role mappings that group defines.

Realms

A Realm manages a set of users, credentials, roles, and groups. A user belongs to and logs into a realm. Realms are isolated from one another and can only manage and authenticate the users that they control.

Clients

Clients are entities that can request Morgana to authenticate a user. Most often, clients are applications and services that want to use Morgana to secure themselves and provide a single sign-on solution. Clients can also be entities that just want to request identity information or an access token so that they can securely invoke other services on the network that are secured by Morgana.

Client Adapters

Client adapters are plugins that you install into your application environment to be able to communicate and be secured by Morgana. Morgana has a number of adapters for different platforms that you can download. There are also third-party adapters you can get for environments that we don’t cover.

Consent is when you as an admin want a user to give permission to a client before that client can participate in the authentication process. After a user provides their credentials, Morgana will pop up a screen identifying the client requesting a login and what identity information is requested of the user. User can decide whether or not to grant the request.

Client Scopes

When a client is registered, you must define protocol mappers and role scope mappings for that client. It is often useful to store a client scope, to make creating new clients easier by sharing some common settings. This is also useful for requesting some claims or roles to be conditionally based on the value of scope parameter. Keycloak provides the concept of a client scope for this.

Client Role

Clients can define roles that are specific to them. This is basically a role namespace dedicated to the client.

Identity Token

A token that provides identity information about the user. Part of the OpenID Connect specification.

Access Token

A token that can be provided as part of an HTTP request that grants access to the service being invoked on. This is part of the OpenID Connect and OAuth 2.0 specification.

Assertion

Information about a user. This usually pertains to an XML blob that is included in a SAML authentication response that provided identity metadata about an authenticated user.

Service Account

Each client has a built-in service account which allows it to obtain an access token.

Direct Grant

A way for a client to obtain an access token on behalf of a user via a REST invocation.

Protocol Mappers

For each client you can tailor what claims and assertions are stored in the OIDC token or SAML assertion. You do this per client by creating and configuring protocol mappers.

Session

When a user logs in, a session is created to manage the login session. A session contains information like when the user logged in and what applications have participated within single-sign on during that session. Both admins and users can view session information.

User Federation Provider

Morgana can store and manage users. Often, companies already have LDAP or Active Directory services that store user and credential information. You can point Morgana to validate credentials from those external stores and pull in identity information.

Identity Provider

An identity provider (IDP) is a service that can authenticate a user. Morgana is an IDP.

Identity Provider Federation

Morgana can be configured to delegate authentication to one or more IDPs. Social login via Meta or Google+ is an example of identity provider federation. You can also hook Keycloak to delegate authentication to any other OpenID Connect or SAML 2.0 IDP.

Identity Provider Mappers

When doing IDP federation you can map incoming tokens and assertions to user and session attributes. This helps you propagate identity information from the external IDP to your client requesting authentication.

Required Actions

Required actions are actions a user must perform during the authentication process. A user will not be able to complete the authentication process until these actions are complete. For example, an admin may schedule users to reset their passwords every month. An update password required action would be set for all these users.

Authentication Flows

Authentication flows are workflows a user must perform when interacting with certain aspects of the system. A login flow can define what credential types are required. A registration flow defines what profile information a user must enter and whether something like reCAPTCHA must be used to filter out bots. Credential reset flow defines what actions a user must do before they can reset their password.

Events

Events are audit streams that admins can view and hook into.

Last updated