keycloak-scim/openshift/content/introduction/introduction.adoc

=== What Is Red Hat Single Sign-On?
Red Hat Single Sign-On (RH-SSO) is an integrated sign-on solution available as a Red Hat JBoss Middleware for OpenShift containerized image. The {xpaasproduct} image provides an authentication server for users to centrally log in, log out, register, and manage user accounts for web applications, mobile applications, and RESTful web services.

[[sso-templates]]
Red Hat offers multiple OpenShift application templates utilizing the {xpaasproduct-shortname} image version number 7.2. These define the resources needed to develop Red Hat Single Sign-On 7.2 server based deployment and can be split into the following two categories:

[[passthrough-templates]]
* Templates using HTTPS and JGroups keystores and a truststore for the RH-SSO server, all prepared beforehand. These secure the TLS communication using link:https://docs.openshift.com/container-platform/latest/architecture/networking/routes.html#passthrough-termination[passthrough TLS termination]:

** *_sso72-https_*: RH-SSO 7.2 backed by internal H2 database on the same pod.
** *_sso72-mysql_*: RH-SSO 7.2 backed by ephemeral MySQL database on a separate pod.
** *_sso72-mysql-persistent_*: RH-SSO 7.2 backed by persistent MySQL database on a separate pod.
** *_sso72-postgresql_*: RH-SSO 7.2 backed by ephemeral PostgreSQL database on a separate pod.
** *_sso72-postgresql-persistent_*: RH-SSO 7.2 backed by persistent PostgreSQL database on a separate pod.

[[reencrypt-templates]]
* Templates using OpenShift's internal link:https://docs.openshift.com/container-platform/latest/dev_guide/secrets.html#service-serving-certificate-secrets[service serving x509 certificate secrets] to automatically create the HTTPS keystore used for serving secure content. The JGroups cluster traffic is authenticated using the `AUTH` protocol. The RH-SSO server truststore is also created automatically, containing the */var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt* CA certificate file, which is used to create these cluster certificates. Moreover, the truststore for the RH-SSO server is pre-populated with the all known, trusted CA certificate files found in the Java system path. These are securing the TLS communication using link:https://docs.openshift.com/container-platform/latest/architecture/networking/routes.html#re-encryption-termination[re-encryption TLS termination]:

** *_sso72-x509-https_*: RH-SSO 7.2 with auto-generated HTTPS keystore and RH-SSO truststore, backed by internal H2 database.
** *_sso72-x509-mysql-persistent_*: RH-SSO 7.2 with auto-generated HTTPS keystore and RH-SSO truststore, backed by persistent MySQL database.
** *_sso72-x509-postgresql-persistent_*: RH-SSO 7.2 with auto-generated HTTPS keystore and RH-SSO truststore, backed by persistent PostgreSQL database.

Other templates that integrate with RH-SSO are also available:

* *_eap64-sso-s2i_*: RH-SSO-enabled Red Hat JBoss Enterprise Application Platform 6.4.
* *_eap70-sso-s2i_*: RH-SSO-enabled Red Hat JBoss Enterprise Application Platform 7.0.
* *_eap71-sso-s2i_*: RH-SSO enabled Red Hat JBoss Enterprise Application Platform 7.1.
* *_datavirt63-secure-s2i_*: RH-SSO-enabled Red Hat JBoss Data Virtualization 6.3.

These templates contain environment variables specific to RH-SSO that enable automatic RH-SSO client registration when deployed.

See xref:Auto-Man-Client-Reg[Automatic and Manual RH-SSO Client Registration Methods] for more information.
KEYCLOAK-6566 Initial commit of xPaaS documentation (#343) 2018-03-19 19:04:57 +00:00			`=== What Is Red Hat Single Sign-On?`
			`Red Hat Single Sign-On (RH-SSO) is an integrated sign-on solution available as a Red Hat JBoss Middleware for OpenShift containerized image. The {xpaasproduct} image provides an authentication server for users to centrally log in, log out, register, and manage user accounts for web applications, mobile applications, and RESTful web services.`

			`[[sso-templates]]`
[KEYCLOAK-6650] [KEYCLOAK-6648] Make documentation changes for these JIRAs (#368) * [KEYCLOAK-6650] Substitute: * 'redhat-sso72-openshift:1.0' with 'redhat-sso72-openshift:1.1', * 'ose-v1.4.9' tag with (upcoming) 'ose-v1.4.11' tag Also update the command to install the updated templates Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com> * [KEYCLOAK-6650] Mention the newly introduced RH-SSO 7.2 x509 application templates on appropriate places Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com> * [KEYCLOAK-6650] Move "Binary Builds" tutorial out of Getting Started section to Tutorials section Also rename it to: "Example Workflow: Create OpenShift Application that Authenticates Using Red Hat Single Sing-On from Existing Maven Binaries" Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com> * [KEYCLOAK-6650] Rename 'Get Started' section to 'Advanced Concepts' (we will introduce a new, refactored 'Getting Started' section soon) Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com> * [KEYCLOAK-6650] Bring the refactored 'Getting Started' section back to the docs Make it contain the most simplistic example, how to deploy RH-SSO server Refactor the 'Advanced Concepts' section to guide: * How to generate keystores, truststore, and secrets for passthroug TLS RH-SSO application templates, * Also provide example, how the passthrough TLS template can be deployed once keystores and secrets are created Remove the necessary sections from former 'tutorials' content, that have been used: * Either in the new 'Getting Started' section, or * In the new 'Advanced Concepts' section Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com> * [KEYCLOAK-6650] Address issues pointed out by Matthew during PR review. Thanks for them, Matthew! Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com> * [KEYCLOAK-6648] Align the definition of HTTPS, JGroups keystores, and the truststore for the RH-SSO server in the application templates with their definition in the documentation Also provide example how to obtain certificate names from keystores Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com> * [KEYCLOAK-6650] Clarify in the Introduction section, that for the x509 re-encrypt templates the JGroups keystore isn't generated, and AUTH protocol is used for cluster traffic authentication Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com> 2018-04-23 18:03:12 +00:00			`Red Hat offers multiple OpenShift application templates utilizing the {xpaasproduct-shortname} image version number 7.2. These define the resources needed to develop Red Hat Single Sign-On 7.2 server based deployment and can be split into the following two categories:`
KEYCLOAK-6566 Initial commit of xPaaS documentation (#343) 2018-03-19 19:04:57 +00:00
[KEYCLOAK-6650] [KEYCLOAK-6648] Make documentation changes for these JIRAs (#368) * [KEYCLOAK-6650] Substitute: * 'redhat-sso72-openshift:1.0' with 'redhat-sso72-openshift:1.1', * 'ose-v1.4.9' tag with (upcoming) 'ose-v1.4.11' tag Also update the command to install the updated templates Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com> * [KEYCLOAK-6650] Mention the newly introduced RH-SSO 7.2 x509 application templates on appropriate places Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com> * [KEYCLOAK-6650] Move "Binary Builds" tutorial out of Getting Started section to Tutorials section Also rename it to: "Example Workflow: Create OpenShift Application that Authenticates Using Red Hat Single Sing-On from Existing Maven Binaries" Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com> * [KEYCLOAK-6650] Rename 'Get Started' section to 'Advanced Concepts' (we will introduce a new, refactored 'Getting Started' section soon) Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com> * [KEYCLOAK-6650] Bring the refactored 'Getting Started' section back to the docs Make it contain the most simplistic example, how to deploy RH-SSO server Refactor the 'Advanced Concepts' section to guide: * How to generate keystores, truststore, and secrets for passthroug TLS RH-SSO application templates, * Also provide example, how the passthrough TLS template can be deployed once keystores and secrets are created Remove the necessary sections from former 'tutorials' content, that have been used: * Either in the new 'Getting Started' section, or * In the new 'Advanced Concepts' section Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com> * [KEYCLOAK-6650] Address issues pointed out by Matthew during PR review. Thanks for them, Matthew! Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com> * [KEYCLOAK-6648] Align the definition of HTTPS, JGroups keystores, and the truststore for the RH-SSO server in the application templates with their definition in the documentation Also provide example how to obtain certificate names from keystores Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com> * [KEYCLOAK-6650] Clarify in the Introduction section, that for the x509 re-encrypt templates the JGroups keystore isn't generated, and AUTH protocol is used for cluster traffic authentication Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com> 2018-04-23 18:03:12 +00:00			`[[passthrough-templates]]`
			`* Templates using HTTPS and JGroups keystores and a truststore for the RH-SSO server, all prepared beforehand. These secure the TLS communication using link:https://docs.openshift.com/container-platform/latest/architecture/networking/routes.html#passthrough-termination[passthrough TLS termination]:`
KEYCLOAK-6566 Initial commit of xPaaS documentation (#343) 2018-03-19 19:04:57 +00:00
[KEYCLOAK-6650] [KEYCLOAK-6648] Make documentation changes for these JIRAs (#368) * [KEYCLOAK-6650] Substitute: * 'redhat-sso72-openshift:1.0' with 'redhat-sso72-openshift:1.1', * 'ose-v1.4.9' tag with (upcoming) 'ose-v1.4.11' tag Also update the command to install the updated templates Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com> * [KEYCLOAK-6650] Mention the newly introduced RH-SSO 7.2 x509 application templates on appropriate places Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com> * [KEYCLOAK-6650] Move "Binary Builds" tutorial out of Getting Started section to Tutorials section Also rename it to: "Example Workflow: Create OpenShift Application that Authenticates Using Red Hat Single Sing-On from Existing Maven Binaries" Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com> * [KEYCLOAK-6650] Rename 'Get Started' section to 'Advanced Concepts' (we will introduce a new, refactored 'Getting Started' section soon) Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com> * [KEYCLOAK-6650] Bring the refactored 'Getting Started' section back to the docs Make it contain the most simplistic example, how to deploy RH-SSO server Refactor the 'Advanced Concepts' section to guide: * How to generate keystores, truststore, and secrets for passthroug TLS RH-SSO application templates, * Also provide example, how the passthrough TLS template can be deployed once keystores and secrets are created Remove the necessary sections from former 'tutorials' content, that have been used: * Either in the new 'Getting Started' section, or * In the new 'Advanced Concepts' section Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com> * [KEYCLOAK-6650] Address issues pointed out by Matthew during PR review. Thanks for them, Matthew! Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com> * [KEYCLOAK-6648] Align the definition of HTTPS, JGroups keystores, and the truststore for the RH-SSO server in the application templates with their definition in the documentation Also provide example how to obtain certificate names from keystores Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com> * [KEYCLOAK-6650] Clarify in the Introduction section, that for the x509 re-encrypt templates the JGroups keystore isn't generated, and AUTH protocol is used for cluster traffic authentication Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com> 2018-04-23 18:03:12 +00:00			`** _sso72-https_: RH-SSO 7.2 backed by internal H2 database on the same pod.`
			`** _sso72-mysql_: RH-SSO 7.2 backed by ephemeral MySQL database on a separate pod.`
			`** _sso72-mysql-persistent_: RH-SSO 7.2 backed by persistent MySQL database on a separate pod.`
			`** _sso72-postgresql_: RH-SSO 7.2 backed by ephemeral PostgreSQL database on a separate pod.`
			`** _sso72-postgresql-persistent_: RH-SSO 7.2 backed by persistent PostgreSQL database on a separate pod.`

			`[[reencrypt-templates]]`
			* Templates using OpenShift's internal link:https://docs.openshift.com/container-platform/latest/dev_guide/secrets.html#service-serving-certificate-secrets[service serving x509 certificate secrets] to automatically create the HTTPS keystore used for serving secure content. The JGroups cluster traffic is authenticated using the `AUTH` protocol. The RH-SSO server truststore is also created automatically, containing the /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt CA certificate file, which is used to create these cluster certificates. Moreover, the truststore for the RH-SSO server is pre-populated with the all known, trusted CA certificate files found in the Java system path. These are securing the TLS communication using link:https://docs.openshift.com/container-platform/latest/architecture/networking/routes.html#re-encryption-termination[re-encryption TLS termination]:

			`** _sso72-x509-https_: RH-SSO 7.2 with auto-generated HTTPS keystore and RH-SSO truststore, backed by internal H2 database.`
			`** _sso72-x509-mysql-persistent_: RH-SSO 7.2 with auto-generated HTTPS keystore and RH-SSO truststore, backed by persistent MySQL database.`
			`** _sso72-x509-postgresql-persistent_: RH-SSO 7.2 with auto-generated HTTPS keystore and RH-SSO truststore, backed by persistent PostgreSQL database.`
KEYCLOAK-6566 Initial commit of xPaaS documentation (#343) 2018-03-19 19:04:57 +00:00
			`Other templates that integrate with RH-SSO are also available:`

			`* _eap64-sso-s2i_: RH-SSO-enabled Red Hat JBoss Enterprise Application Platform 6.4.`
			`* _eap70-sso-s2i_: RH-SSO-enabled Red Hat JBoss Enterprise Application Platform 7.0.`
			`* _eap71-sso-s2i_: RH-SSO enabled Red Hat JBoss Enterprise Application Platform 7.1.`
			`* _datavirt63-secure-s2i_: RH-SSO-enabled Red Hat JBoss Data Virtualization 6.3.`

			`These templates contain environment variables specific to RH-SSO that enable automatic RH-SSO client registration when deployed.`

			`See xref:Auto-Man-Client-Reg[Automatic and Manual RH-SSO Client Registration Methods] for more information.`