Merge remote-tracking branch 'upstream/master'
This commit is contained in:
commit
014708a65b
16 changed files with 106 additions and 49 deletions
|
@ -1,12 +1,8 @@
|
||||||
[[_overview]]
|
[[_overview]]
|
||||||
= Overview
|
= Overview
|
||||||
|
|
||||||
ifeval::[{project_product}==true]
|
:tech_feature_name: Authorization Services
|
||||||
NOTE: Authorization Services is a Technology Preview feature and is not fully supported. This feature is disabled by default.
|
include::templates/techpreview.adoc[]
|
||||||
|
|
||||||
To enable Authorization Services add the `standalone/configuration/profile.properties` file with the contents `profile=preview`
|
|
||||||
or start the server with `-Dkeycloak.profile=preview` to enable all technology preview features.
|
|
||||||
endif::[]
|
|
||||||
|
|
||||||
{project_name} supports fine-grained authorization policies and is able to combine different access control
|
{project_name} supports fine-grained authorization policies and is able to combine different access control
|
||||||
mechanisms such as:
|
mechanisms such as:
|
||||||
|
|
|
@ -103,6 +103,7 @@ else
|
||||||
echo ""
|
echo ""
|
||||||
for i in `find -maxdepth 2 -name master.adoc | xargs dirname | sort`; do
|
for i in `find -maxdepth 2 -name master.adoc | xargs dirname | sort`; do
|
||||||
TITLE=`getTitle $i`
|
TITLE=`getTitle $i`
|
||||||
|
GUIDE_DIR=`readlink -f $i`
|
||||||
echo "$TITLE"
|
echo "$TITLE"
|
||||||
echo " - AsciiDoctor: file://$GUIDE_DIR/target/html/index.html"
|
echo " - AsciiDoctor: file://$GUIDE_DIR/target/html/index.html"
|
||||||
echo " - ccutil: file://$GUIDE_DIR/build/tmp/en-US/html-single/index.html"
|
echo " - ccutil: file://$GUIDE_DIR/build/tmp/en-US/html-single/index.html"
|
||||||
|
|
|
@ -24,8 +24,8 @@ include::topics/oidc/java/jetty9-adapter.adoc[]
|
||||||
include::topics/oidc/java/jetty8-adapter.adoc[]
|
include::topics/oidc/java/jetty8-adapter.adoc[]
|
||||||
include::topics/oidc/java/spring-security-adapter.adoc[]
|
include::topics/oidc/java/spring-security-adapter.adoc[]
|
||||||
endif::[]
|
endif::[]
|
||||||
ifeval::[{project_community}==true]
|
|
||||||
include::topics/oidc/java/servlet-filter-adapter.adoc[]
|
include::topics/oidc/java/servlet-filter-adapter.adoc[]
|
||||||
|
ifeval::[{project_community}==true]
|
||||||
include::topics/oidc/java/jaas.adoc[]
|
include::topics/oidc/java/jaas.adoc[]
|
||||||
endif::[]
|
endif::[]
|
||||||
ifeval::[{project_community}==true]
|
ifeval::[{project_community}==true]
|
||||||
|
|
|
@ -36,7 +36,7 @@ sshRealm=keycloak
|
||||||
----
|
----
|
||||||
This file specifies the client application configuration, which is used by JAAS DirectAccessGrantsLoginModule from the `keycloak` JAAS realm for SSH authentication.
|
This file specifies the client application configuration, which is used by JAAS DirectAccessGrantsLoginModule from the `keycloak` JAAS realm for SSH authentication.
|
||||||
|
|
||||||
. Start Fuse and install the `keycloak` JAAS realm. The easiest way is to install the `keycloak-jaas` feature, which has the JAAS realm predefined. You can override the feature's predefined realm by using your own `keycloak` JAAS realm with higher ranking. For details see the https:access.redhat.com/documentation/en-us/red_hat_jboss_fuse/6.3/html-single/security_guide/#ESBSecureContainer[JBoss Fuse documentation].
|
. Start Fuse and install the `keycloak` JAAS realm. The easiest way is to install the `keycloak-jaas` feature, which has the JAAS realm predefined. You can override the feature's predefined realm by using your own `keycloak` JAAS realm with higher ranking. For details see the https://access.redhat.com/documentation/en-us/red_hat_jboss_fuse/6.3/html-single/security_guide/#ESBSecureContainer[JBoss Fuse documentation].
|
||||||
+
|
+
|
||||||
Use these commands in the Fuse terminal:
|
Use these commands in the Fuse terminal:
|
||||||
+
|
+
|
||||||
|
|
|
@ -70,14 +70,14 @@ object, rather than the `keycloak.json` file:
|
||||||
[source,javascript]
|
[source,javascript]
|
||||||
----
|
----
|
||||||
let kcConfig = {
|
let kcConfig = {
|
||||||
clientId: 'myclient',
|
clientId: 'myclient',
|
||||||
bearerOnly: true,
|
bearerOnly: true,
|
||||||
serverUrl: 'http://localhost:8080/auth',
|
serverUrl: 'http://localhost:8080/auth',
|
||||||
realm: 'myrealm',
|
realm: 'myrealm',
|
||||||
realmPublicKey: 'MIIBIjANB...'
|
realmPublicKey: 'MIIBIjANB...'
|
||||||
};
|
};
|
||||||
|
|
||||||
let keycloak = new Keycloak({ store: memoryStore }, kcConfig);
|
let keycloak = new Keycloak({ store: memoryStore }, kcConfig);
|
||||||
----
|
----
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -13,51 +13,35 @@ ifeval::[{project_community}==true]
|
||||||
* <<_jetty8_adapter,Jetty 8>>
|
* <<_jetty8_adapter,Jetty 8>>
|
||||||
endif::[]
|
endif::[]
|
||||||
|
|
||||||
ifeval::[{project_community}==true]
|
|
||||||
* <<_servlet_filter_adapter,Servlet Filter>>
|
* <<_servlet_filter_adapter,Servlet Filter>>
|
||||||
* <<_spring_security_adapter,Spring Security>> (community)
|
* <<_spring_boot_adapter,Spring Boot>>
|
||||||
* <<_spring_boot_adapter,Spring Boot>> (community)
|
|
||||||
endif::[]
|
|
||||||
|
|
||||||
ifeval::[{project_community}==true]
|
ifeval::[{project_community}==true]
|
||||||
|
* <<_spring_security_adapter,Spring Security>>
|
||||||
|
endif::[]
|
||||||
|
|
||||||
===== JavaScript (client-side)
|
===== JavaScript (client-side)
|
||||||
* <<_javascript_adapter,JavaScript>>
|
* <<_javascript_adapter,JavaScript>>
|
||||||
endif::[]
|
|
||||||
|
|
||||||
===== Node.js (server-side)
|
===== Node.js (server-side)
|
||||||
* <<_nodejs_adapter,Node.js>>
|
* <<_nodejs_adapter,Node.js>>
|
||||||
|
|
||||||
===== JavaScript
|
|
||||||
* <<_javascript_adapter,JavaScript>>
|
|
||||||
|
|
||||||
ifeval::[{project_community}==true]
|
|
||||||
===== Node.js
|
|
||||||
* https://github.com/keycloak/keycloak-nodejs-connect[{project_name} Connect] (community)
|
|
||||||
endif::[]
|
|
||||||
|
|
||||||
ifeval::[{project_community}==true]
|
ifeval::[{project_community}==true]
|
||||||
==== C#
|
==== C#
|
||||||
* https://github.com/dylanplecki/KeycloakOwinAuthentication[OWIN] (community)
|
* https://github.com/dylanplecki/KeycloakOwinAuthentication[OWIN] (community)
|
||||||
endif::[]
|
|
||||||
|
|
||||||
ifeval::[{project_community}==true]
|
|
||||||
==== Python
|
==== Python
|
||||||
* https://pypi.python.org/pypi/oic/[oidc] (generic)
|
* https://pypi.python.org/pypi/oic/[oidc] (generic)
|
||||||
endif::[]
|
|
||||||
|
|
||||||
ifeval::[{project_community}==true]
|
|
||||||
==== Android
|
==== Android
|
||||||
* https://github.com/openid/AppAuth-Android[AppAuth] (generic)
|
* https://github.com/openid/AppAuth-Android[AppAuth] (generic)
|
||||||
* https://github.com/aerogear/aerogear-android-authz[AeroGear] (generic)
|
* https://github.com/aerogear/aerogear-android-authz[AeroGear] (generic)
|
||||||
endif::[]
|
|
||||||
|
|
||||||
ifeval::[{project_community}==true]
|
|
||||||
==== iOS
|
==== iOS
|
||||||
* https://github.com/openid/AppAuth-iOS[AppAuth] (generic)
|
* https://github.com/openid/AppAuth-iOS[AppAuth] (generic)
|
||||||
* https://github.com/aerogear/aerogear-ios-oauth2[AeroGear] (generic)
|
* https://github.com/aerogear/aerogear-ios-oauth2[AeroGear] (generic)
|
||||||
endif::[]
|
|
||||||
|
|
||||||
ifeval::[{project_community}==true]
|
|
||||||
===== Apache HTTP Server
|
===== Apache HTTP Server
|
||||||
* https://github.com/zmartzone/mod_auth_openidc[mod_auth_openidc]
|
* https://github.com/zmartzone/mod_auth_openidc[mod_auth_openidc]
|
||||||
endif::[]
|
endif::[]
|
||||||
|
|
|
@ -3,6 +3,9 @@
|
||||||
|
|
||||||
== Token Exchange
|
== Token Exchange
|
||||||
|
|
||||||
|
:tech_feature_name: Token Exchange
|
||||||
|
include::../templates/techpreview.adoc[]
|
||||||
|
|
||||||
In {project_name}, token exchange is the process of using a set of credentials or token to obtain an entirely different token.
|
In {project_name}, token exchange is the process of using a set of credentials or token to obtain an entirely different token.
|
||||||
A client may want to invoke on a less trusted application so it may want to downgrade the current token it has.
|
A client may want to invoke on a less trusted application so it may want to downgrade the current token it has.
|
||||||
A client may want to exchange a {project_token} for a token stored for a linked social provider account.
|
A client may want to exchange a {project_token} for a token stored for a linked social provider account.
|
||||||
|
|
|
@ -2,6 +2,9 @@
|
||||||
|
|
||||||
=== Fine Grain Admin Permissions
|
=== Fine Grain Admin Permissions
|
||||||
|
|
||||||
|
:tech_feature_name: Fine Grain Admin Permissions
|
||||||
|
include::../templates/techpreview.adoc[]
|
||||||
|
|
||||||
Sometimes roles like `manage-realm` or `manage-users` are too coarse grain and you want to create
|
Sometimes roles like `manage-realm` or `manage-users` are too coarse grain and you want to create
|
||||||
restricted admin accounts that have more fine grain permissions. {project_name} allows you to define
|
restricted admin accounts that have more fine grain permissions. {project_name} allows you to define
|
||||||
and assign restricted access policies for managing a realm. Things like:
|
and assign restricted access policies for managing a realm. Things like:
|
||||||
|
|
|
@ -24,7 +24,7 @@ Running a FreeIPA server with Docker requires this command:
|
||||||
docker run --name freeipa-server-container -it \
|
docker run --name freeipa-server-container -it \
|
||||||
-h server.freeipa.local -e PASSWORD=YOUR_PASSWORD \
|
-h server.freeipa.local -e PASSWORD=YOUR_PASSWORD \
|
||||||
-v /sys/fs/cgroup:/sys/fs/cgroup:ro \
|
-v /sys/fs/cgroup:/sys/fs/cgroup:ro \
|
||||||
-v /var/lib/ipa-data:/data:Z adelton/freeipa-server
|
-v /var/lib/ipa-data:/data:Z freeipa/freeipa-server
|
||||||
|
|
||||||
The parameter `-h` with `server.freeipa.local` represents the FreeIPA/IdM server hostname. Be sure to change `YOUR_PASSWORD` to a password of your choosing.
|
The parameter `-h` with `server.freeipa.local` represents the FreeIPA/IdM server hostname. Be sure to change `YOUR_PASSWORD` to a password of your choosing.
|
||||||
|
|
||||||
|
|
|
@ -2,6 +2,10 @@
|
||||||
[[crossdc-mode]]
|
[[crossdc-mode]]
|
||||||
=== Cross-Datacenter Replication Mode
|
=== Cross-Datacenter Replication Mode
|
||||||
|
|
||||||
|
:tech_feature_name: Cross-Datacenter Replication Mode
|
||||||
|
:tech_feature_disabled: false
|
||||||
|
include::../templates/techpreview.adoc[]
|
||||||
|
|
||||||
Cross-Datacenter Replication mode is for when you want to run {project_name} in a cluster across multiple data centers, most typically using data center sites that are in different geographic regions. When using this mode, each data center will have its own cluster of {project_name} servers.
|
Cross-Datacenter Replication mode is for when you want to run {project_name} in a cluster across multiple data centers, most typically using data center sites that are in different geographic regions. When using this mode, each data center will have its own cluster of {project_name} servers.
|
||||||
|
|
||||||
This documentation will refer the following example architecture diagram to illustrate and describe a simple Cross-Datacenter Replication use case.
|
This documentation will refer the following example architecture diagram to illustrate and describe a simple Cross-Datacenter Replication use case.
|
||||||
|
|
|
@ -1,9 +1,9 @@
|
||||||
:project_name: Red Hat Single Sign-On
|
:project_name: Red Hat Single Sign-On
|
||||||
:project_community: false
|
:project_community: false
|
||||||
:project_product: true
|
:project_product: true
|
||||||
:project_version: 7.2.0.DR4
|
:project_version: 7.2.0.GA
|
||||||
:project_versionMvn: 3.3.0.Final-redhat1
|
:project_versionMvn: 3.4.2.Final-redhat1
|
||||||
:project_versionNpm: 3.3.0.Final-redhat1
|
:project_versionNpm: 3.4.2.Final-redhat1
|
||||||
:project_versionDoc: 7.2
|
:project_versionDoc: 7.2
|
||||||
:project_images: rhsso-images
|
:project_images: rhsso-images
|
||||||
:project_doc_base_url: https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/{project_versionDoc}/html-single
|
:project_doc_base_url: https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/{project_versionDoc}/html-single
|
||||||
|
|
14
topics/templates/techpreview.adoc
Normal file
14
topics/templates/techpreview.adoc
Normal file
|
@ -0,0 +1,14 @@
|
||||||
|
ifeval::[{project_product}==true]
|
||||||
|
[NOTE]
|
||||||
|
====
|
||||||
|
ifeval::[{tech_feature_disabled}!=false]
|
||||||
|
{tech_feature_name} is *Technology Preview* and is not fully supported. This feature is disabled by default.
|
||||||
|
|
||||||
|
To enable start the server with `-Dkeycloak.profile=preview`. For more details see
|
||||||
|
link:{installguide_profile_link}[{installguide_profile_name}].
|
||||||
|
endif::[]
|
||||||
|
ifeval::[{tech_feature_disabled}==false]
|
||||||
|
{tech_feature_name} is *Technology Preview* and is not fully supported.
|
||||||
|
endif::[]
|
||||||
|
====
|
||||||
|
endif::[]
|
|
@ -19,6 +19,7 @@ In summary:
|
||||||
ifeval::[{project_product}==true]
|
ifeval::[{project_product}==true]
|
||||||
Each step is described in more detail below the list of changes.
|
Each step is described in more detail below the list of changes.
|
||||||
|
|
||||||
|
include::rhsso/migrate_themes-changes-72.adoc[leveloffset=0]
|
||||||
include::rhsso/migrate_themes-changes-71.adoc[leveloffset=0]
|
include::rhsso/migrate_themes-changes-71.adoc[leveloffset=0]
|
||||||
endif::[]
|
endif::[]
|
||||||
|
|
||||||
|
|
|
@ -2,7 +2,7 @@
|
||||||
|
|
||||||
== Introduction
|
== Introduction
|
||||||
|
|
||||||
Red Hat Single Sign-On (RH-SSO) 7.1 is based on the Keycloak project and provides security for your web applications by
|
Red Hat Single Sign-On (RH-SSO) 7.2 is based on the Keycloak project and provides security for your web applications by
|
||||||
providing Web single sign-on capabilities based on popular standards such as SAML 2.0, OpenID Connect, and OAuth 2.0.
|
providing Web single sign-on capabilities based on popular standards such as SAML 2.0, OpenID Connect, and OAuth 2.0.
|
||||||
The Red Hat Single Sign-On Server can act as a SAML or OpenID Connect-based identity provider, mediating with your
|
The Red Hat Single Sign-On Server can act as a SAML or OpenID Connect-based identity provider, mediating with your
|
||||||
enterprise user directory or third-party SSO provider for identity information and your applications using standards-based
|
enterprise user directory or third-party SSO provider for identity information and your applications using standards-based
|
||||||
|
@ -14,30 +14,30 @@ RH-SSO instances from a single control point. The upgrade process differs depend
|
||||||
implemented. Specific instructions for each mode are provided where applicable.
|
implemented. Specific instructions for each mode are provided where applicable.
|
||||||
|
|
||||||
The purpose of this guide is to document the steps that are required to successfully upgrade from
|
The purpose of this guide is to document the steps that are required to successfully upgrade from
|
||||||
Red Hat Single Sign-On 7.0 to Red Hat Single Sign-On 7.1.
|
Red Hat Single Sign-On 7.1 to Red Hat Single Sign-On 7.2.
|
||||||
|
|
||||||
=== About Upgrades
|
=== About Upgrades
|
||||||
|
|
||||||
==== Major Upgrades
|
==== Major Upgrades
|
||||||
|
|
||||||
A major upgrade or migration is required when RH-SSO is upgraded from one major release to another, for example, from
|
A major upgrade or migration is required when RH-SSO is upgraded from one major release to another, for example, from
|
||||||
Red Hat Single Sign-On 7.0 to Red Hat Single Sign-On 8.0. There may be breaking API changes between major releases
|
Red Hat Single Sign-On 7.2 to Red Hat Single Sign-On 8.0. There may be breaking API changes between major releases
|
||||||
that could require rewriting parts of applications or server extensions.
|
that could require rewriting parts of applications or server extensions.
|
||||||
|
|
||||||
==== Minor Updates
|
==== Minor Updates
|
||||||
|
|
||||||
Red Hat Single Sign-On periodically provides point releases, which are minor updates that include bug fixes, security
|
Red Hat Single Sign-On periodically provides point releases, which are minor updates that include bug fixes, security
|
||||||
fixes, and new features. If you plan to upgrade from one Red Hat Single Sign-On point release to another, for example,
|
fixes, and new features. If you plan to upgrade from one Red Hat Single Sign-On point release to another, for example,
|
||||||
from Red Hat Single Sign-On 7.0 to Red Hat Single Sign-On 7.1, code changes should not be required for applications or
|
from Red Hat Single Sign-On 7.1 to Red Hat Single Sign-On 7.2, code changes should not be required for applications or
|
||||||
custom server extensions as long as no private, unsupported, or tech preview APIs are used.
|
custom server extensions as long as no private, unsupported, or tech preview APIs are used.
|
||||||
|
|
||||||
==== Micro Updates
|
==== Micro Updates
|
||||||
|
|
||||||
Red Hat Single Sign-On 7 also periodically provides micro releases that contain bug and security fixes.
|
Red Hat Single Sign-On 7 also periodically provides micro releases that contain bug and security fixes.
|
||||||
Micro releases increment the minor release version by the last digit, for example from 7.1.0 to 7.1.1. These release
|
Micro releases increment the minor release version by the last digit, for example from 7.2.0 to 7.2.1. These release
|
||||||
do not require migration and should not impact the server configuration files. The patch management system for ZIP
|
do not require migration and should not impact the server configuration files. The patch management system for ZIP
|
||||||
installations can also rollback the patch and server configuration.
|
installations can also rollback the patch and server configuration.
|
||||||
|
|
||||||
A micro release only contains the artifacts that have changed. For example if Red Hat Single Sign-On 7.1.1 contains changes to
|
A micro release only contains the artifacts that have changed. For example if Red Hat Single Sign-On 7.2.1 contains changes to
|
||||||
the server and the JavaScript adapter, but not the EAP adapter, only the server and JavaScript adapter are released and require
|
the server and the JavaScript adapter, but not the EAP adapter, only the server and JavaScript adapter are released and require
|
||||||
updating.
|
updating.
|
|
@ -1,4 +1,4 @@
|
||||||
The changes that have been made for RH-SSO 7.1 include:
|
===== Theme changes RH-SSO 7.1
|
||||||
|
|
||||||
**Templates**
|
**Templates**
|
||||||
|
|
||||||
|
|
51
upgrading/topics/rhsso/migrate_themes-changes-72.adoc
Normal file
51
upgrading/topics/rhsso/migrate_themes-changes-72.adoc
Normal file
|
@ -0,0 +1,51 @@
|
||||||
|
===== Theme changes RH-SSO 7.2
|
||||||
|
|
||||||
|
**Templates**
|
||||||
|
|
||||||
|
* Account: account.ftl
|
||||||
|
* Account: applications.ftl
|
||||||
|
* Account: federatedIdentity.ftl
|
||||||
|
* Account: password.ftl
|
||||||
|
* Account: sessions.ftl
|
||||||
|
* Account: template.ftl
|
||||||
|
* Account: totp.ftl
|
||||||
|
* Admin: index.ftl
|
||||||
|
* Email: email-test.ftl (new)
|
||||||
|
* Email: email-verification.ftl
|
||||||
|
* Email: event-login_error.ftl
|
||||||
|
* Email: event-removed_totp.ftl
|
||||||
|
* Email: event-update_password.ftl
|
||||||
|
* Email: event-update_totp.ftl
|
||||||
|
* Email: executeActions.ftl
|
||||||
|
* Email: identity-provider-link.ftl
|
||||||
|
* Email: password-reset.ftl
|
||||||
|
* Login: bypass_kerberos.ftl (removed)
|
||||||
|
* Login: error.ftl
|
||||||
|
* Login: info.ftl
|
||||||
|
* Login: login-config-totp.ftl
|
||||||
|
* Login: login-idp-link-email.ftl
|
||||||
|
* Login: login-oauth-grant.ftl
|
||||||
|
* Login: login-page-expired.ftl (new)
|
||||||
|
* Login: login-reset-password.ftl
|
||||||
|
* Login: login-totp.ftl
|
||||||
|
* Login: login-update-password.ftl
|
||||||
|
* Login: login-update-profile.ftl
|
||||||
|
* Login: login-verify-email.ftl
|
||||||
|
* Login: login-x509-info.ftl (new)
|
||||||
|
* Login: login.ftl (new)
|
||||||
|
* Login: register.ftl (new)
|
||||||
|
* Login: template.ftl (new)
|
||||||
|
* Login: terms.ftl (new)
|
||||||
|
|
||||||
|
**Messages**
|
||||||
|
|
||||||
|
* Account: messages_en.properties
|
||||||
|
* Admin: admin-messages_en.properties
|
||||||
|
* Admin: messages_en.properties
|
||||||
|
* Email: messages_en.properties
|
||||||
|
* Login: messages_en.properties
|
||||||
|
|
||||||
|
**Styles**
|
||||||
|
|
||||||
|
* Account: account.css
|
||||||
|
* Login: login.css
|
Loading…
Reference in a new issue