keycloak-scim/topics/overview/concepts.adoc

92 lines
6.8 KiB
Text
Raw Normal View History

2016-05-13 13:39:56 +00:00
2016-05-12 21:48:03 +00:00
=== Core Concepts and Terms
2016-06-01 01:37:18 +00:00
There are some key concepts and terms you should be aware of before attempting to use {{book.project.name}} to secure your web applications
2016-05-12 21:48:03 +00:00
and REST services.
users::
Users are entities that are able to log into your system. They can have attributes associated with themselves like email,
username, address, phone number, and birth day. They can be assigned group membership and have specific roles assigned to them.
2016-05-18 20:40:50 +00:00
authentication::
The process of identifying and validating a user.
authorization::
The process of granting access to a user.
credentials::
2016-05-12 21:48:03 +00:00
Credentials are pieces of data that {{book.project.name}} uses to verify the identity of a user. Some examples are passwords,
one-time-passwords, digital certificates, or even fingerprints.
roles::
Roles identify a type or category of user. `Admin`, `user`, `manager`, and `employee` are all typical roles that may exist
in an organization. Applications often assign access and permissions to specific roles rather than individual users as dealing
2016-06-03 14:13:57 +00:00
with users can be too fine grained and hard to manage.
2016-05-12 21:48:03 +00:00
user role mapping::
A user role mapping defines a mapping between a role and a user. A user can be associated with zero or more roles. This
role mapping information can be encapsulated into tokens and assertions so that applications can decide access permissions on
2016-12-01 22:17:15 +00:00
various resources they manage.
2016-05-12 21:48:03 +00:00
composite roles::
A composite role is a role that can be associated with other roles. For example a `superuser` composite role could be associated with the
`sales-admin` and `order-entry-admin` roles. If a user is mapped to the `superuser` role they also inherit the `sales-admin` and `order-entry-admin` roles.
2016-05-12 21:48:03 +00:00
groups::
Groups manage groups of users. Attributes can be defined for a group. You can map roles to a group as well. Users that become members of a group
inherit the attributes and role mappings that group defines.
realms::
A realm manages a set of users, credentials, roles, and groups. A user belongs to and logs into a realm. Realms are isolated from one another
2016-05-13 14:41:36 +00:00
and can only manage and authenticate the users that they control.
2016-05-12 21:48:03 +00:00
clients::
Clients are entities that can request {{book.project.name}} to authenticate a user. Most often, clients are applications and services that
want to use {{book.project.name}} to secure themselves and provide a single sign-on solution. Clients can also be entities that just want to request
2016-12-05 19:32:49 +00:00
identity information or an access token so that they can securely invoke other services on the network that are secured by {{book.project.name}}.
2016-05-13 13:39:56 +00:00
client adapters::
Client adapters are plugins that you install into your application environment to be able to communicate and be secured by {{book.project.name}}. {{book.project.name}}
has a number of adapters for different platforms that you can download. There are also third-party adapters you can get for environments that we don't cover.
2016-05-12 21:48:03 +00:00
consent::
Consent is when you as an admin want a user to give permission to a client before that client can participate in the authentication process.
After a user provides their credentials, {{book.project.name}} will pop up a screen identifying the client requesting a login and what identity
information is requested of the user. User can decide whether or not to grant the request.
2016-05-12 21:48:03 +00:00
client templates::
When a client is registered you need to enter configuration information about that client. It is often useful to store a template
2016-12-01 22:17:15 +00:00
to make create new clients easier. {{book.project.name}} provides the concept of a client template for this.
2016-05-20 20:52:41 +00:00
client role::
Clients can define roles that are specific to them. This is basically a role namespace dedicated to the client.
identity token::
A token that provides identity information about the user. Part of the OpenID Connect specification.
access token::
A token that can be provided as part of an HTTP request that grants access to the service being invoked on. This is part of
the OpenID Connect and OAuth 2.0 specification.
assertion::
Information about a user. This usually pertains to an XML blob that is included in a SAML authentication response that
provided identity metadata about an authenticated user.
service account::
2016-12-02 15:59:53 +00:00
Each client has a built-in service account which allows it to obtain an access token.
2016-05-20 20:52:41 +00:00
direct grant::
A way for a client to obtain an access token on behalf of a user via a REST invocation.
2016-05-13 13:39:56 +00:00
protocol mappers::
For each client you can tailor what claims and assertions are stored in the OIDC token or SAML assertion. You do this per client by creating and configuring
protocol mappers.
session::
When a user logs in, a session is created to manage the login session. A session contains information like when the user logged in and what
applications have participated within single-sign on during that session. Both admins and users can view session information.
2016-05-12 21:48:03 +00:00
user federation provider::
{{book.project.name}} can store and manage users. Often, companies already have LDAP or Active Directory services that store user and credential
information. You can point {{book.project.name}} to validate credentials from those external stores and pull in identity information.
identity provider::
An identity provider (IDP) is a service that can authenticate a user. {{book.project.name}} is an IDP.
identity provider federation::
{{book.project.name}} can be configured to delegate authentication to one or more IDPs. Social login via
Facebook or Google+ is an example of identity provider federation. You can also hook {{book.project.name}} to delegate
2016-05-12 21:48:03 +00:00
authentication to any other Open ID Connect or SAML 2.0 IDP.
2016-05-13 13:39:56 +00:00
identity provider mappers::
When doing IDP federation you can map incoming tokens and assertions to user and session attributes. This helps you propagate identity information from the external IDP
to your client requesting authentication.
2016-05-12 21:48:03 +00:00
required actions::
Required actions are actions a user must perform during the authentication process. A user will not be able to complete the authentication process until these actions
2016-05-12 21:48:03 +00:00
are complete. For example, an admin may schedule users to reset their passwords every month. An `update password` required action would be set for all these
users.
authentication flows::
Authentication flows are work flows a user must perform when interacting with certain aspects of the system. A login flow can define
what credential types are required. A registration flow defines what profile information a user must enter and whether something like reCAPTCHA
2016-05-12 21:48:03 +00:00
must be used to filter out bots. Credential reset flow defines what actions a user must do before they can reset their password.
events::
Events are audit streams that admins can view and hook into.
2016-05-13 13:39:56 +00:00
themes::
2016-12-01 22:17:15 +00:00
Every screen provided by {{book.project.name}} is backed by a theme. Themes define HTML templates and stylesheets which you can override as needed.