Red Hat is proud to announce the release of version 7.6 of {project_name} (RH-SSO). RH-SSO is based on the Keycloak project, and enables you to secure your web applications by providing Web SSO capabilities based on popular standards such as OpenID Connect, OAuth 2.0, and SAML 2.0. The RH-SSO server acts as an OpenID Connect or SAML-based identity provider (IdP), allowing your enterprise user directory or third-party IdP to secure your applications via standards-based security tokens.
[NOTE]
{project_name} for IBM Z and IBM Power Systems is supported only in the OpenShift environment. Bare metal installations on IBM Z and IBM Power Systems are not supported.
The following notes apply to the RH-SSO 7.6 release.
= New or improved features
== Step-up authentication
{project_name} now supports Step-up authentication. For more details, see the link:{adminguide_link}#_step-up-flow[{adminguide_name}].
== Client secret rotation
{project_name} now supports Client Secret Rotation through customer policies. This feature is now available as a preview feature and allows that confidential clients can be provided with realm policies allowing the use up to two secrets simultaneously.
For more details, see the link:{adminguide_link}#_secret_rotation[{adminguide_name}].
== Recovery Codes
Recovery Codes as another way to do two-factor authentication is now available as a preview feature.
== OpenID Connect Logout Improvements
Some fixes and improvements were made to make sure that {project_name} is now fully compliant with all the OpenID Connect logout specifications:
* OpenID Connect RP-Initiated Logout 1.0
* OpenID Connect Front-Channel Logout 1.0
* OpenID Connect Back-Channel Logout 1.0
* OpenID Connect Session Management 1.0
For more details, see the link:{adminguide_link}#_oidc-logout[{adminguide_name}].
Also, {project_name} now supports WebAuthn id-less authentication. This feature allows that WebAuthn Security Key will identify the user during authentication as long as the
security key supports Resident Keys. For more details, see the link:{adminguide_link}#_webauthn_loginless[{adminguide_name}].
== Session limits
{project_name} now supports limits on the number of sessions a user can have. Limits can be placed at the realm level or at the client level.
For more details, see the link:{adminguide_link}#_user_session_limits[{adminguide_name}].
== SAML ECP Profile is disabled by default
To mitigate the risk of abusing SAML ECP Profile, {project_name} now blocks
this flow for all SAML clients that do not allow it explicitly. The profile
can be enabled using _Allow ECP Flow_ flag within client configuration,
see link:{adminguide_link}#_client-saml-configuration[{adminguide_name}].
== Other improvements
* Account console alignments with latest PatternFly release.
* Support for encrypted User Info endpoint response.
* Support for the algorithm RSA-OAEP with A256GCM used for encryption keys.
* Support for login with GitHub Enterprise server.
= Existing technology preview features
The following features continue to be in a Technology Preview status:
* Cross-site data replication
* Token exchange
* Fine-grained authorization permissions
= Removed or deprecated features
These features have a change in status:
* The `podDisruptionBudget` field in the Keycloak CR is deprecated and will be ignored when the Operator is deployed on OpenShift 4.12 and higher. As a workaround, see the link:{upgradingguide_link}#rh_sso_7_6[{upgradingguide_name}].
* The deprecated `upload-script` feature has been removed.
* Support for Red Hat Single Sign-On (RH-SSO) on Red Hat Enterprise Linux 6 (RHEL 6) is deprecated and the 7.6 release of RH-SSO will not be supported on RHEL 6. RHEL 6 entered the ELS phase of its lifecycle on November 30, 2020 and the Red Hat JBoss Enterprise Application Platform (EAP) that RH-SSO depends upon will drop support for RHEL 6 with the EAP 7.4 release. Customers should deploy their RH-SSO 7.6 upgrades on RHEL 7 or 8 versions.
* The Spring Boot Adapter is deprecated and will not be included in the 8.0 and higher versions of RH-SSO. This adapter will be maintained during the lifecycle of RH-SSO 7.x. Users are urged to migrate to Spring Security to integrate their Spring Boot applications with RH-SSO.
* Installation from an RPM is deprecated. Red Hat Single Sign-On will continue to deliver RPMs for the life of the 7.x product, but will not deliver RPMs with the next major version. The product will continue to support installation from a ZIP file and installation on OpenShift.
* Red Hat Single Sign-On for OpenShift on Eclipse OpenJ9 is deprecated. However, Red Hat Single Sign-On on OpenShift will now support all platforms (x86, IBM Z, and IBM Power Systems) as documented in the https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.6/html/red_hat_single_sign-on_for_openshift/index[Red Hat Single Sign-On for OpenShift Guide].
For more details on this change, see link:https://access.redhat.com/articles/6744521[Java Change in PPC and s390x OpenShift Images].
* Authorization Services Drools Policy has been removed.
= Fixed Issues
For details on the issues fixed between RH-SSO 7.5 and 7.6.0, see link:https://issues.redhat.com/browse/KEYCLOAK-14085?filter=12396918[RHSSO 7.6.0 Fixed Issues].
* link:https://issues.redhat.com/browse/RHSSO-2091[RHSSO-2091] - Operator fails to upgrade to 7.6.0 GA with the error "FAILED Update RHSSO Deployment (StatefulSet)"
+
See this link:https://access.redhat.com/solutions/6966958[KCS solution].
* link:https://issues.redhat.com/browse/KEYCLOAK-18115[KEYCLOAK-18115] - Attempt to edit attribute denied in RHSSO 7.4.6
= Supported configurations
The set of supported features and configurations for RH-SSO Server 7.6 is available on the link:https://access.redhat.com/articles/2342861[Customer Portal].
= Component versions
The list of supported component versions for RH-SSO 7.6 is available on the link:https://access.redhat.com/articles/2342881[Customer Portal].
