Merge remote-tracking branch 'upstream/master'

This commit is contained in:
Bill Burke 2018-01-02 09:21:06 -05:00
commit 014708a65b
16 changed files with 106 additions and 49 deletions

View file

@ -1,12 +1,8 @@
[[_overview]] [[_overview]]
= Overview = Overview
ifeval::[{project_product}==true] :tech_feature_name: Authorization Services
NOTE: Authorization Services is a Technology Preview feature and is not fully supported. This feature is disabled by default. include::templates/techpreview.adoc[]
To enable Authorization Services add the `standalone/configuration/profile.properties` file with the contents `profile=preview`
or start the server with `-Dkeycloak.profile=preview` to enable all technology preview features.
endif::[]
{project_name} supports fine-grained authorization policies and is able to combine different access control {project_name} supports fine-grained authorization policies and is able to combine different access control
mechanisms such as: mechanisms such as:

View file

@ -103,6 +103,7 @@ else
echo "" echo ""
for i in `find -maxdepth 2 -name master.adoc | xargs dirname | sort`; do for i in `find -maxdepth 2 -name master.adoc | xargs dirname | sort`; do
TITLE=`getTitle $i` TITLE=`getTitle $i`
GUIDE_DIR=`readlink -f $i`
echo "$TITLE" echo "$TITLE"
echo " - AsciiDoctor: file://$GUIDE_DIR/target/html/index.html" echo " - AsciiDoctor: file://$GUIDE_DIR/target/html/index.html"
echo " - ccutil: file://$GUIDE_DIR/build/tmp/en-US/html-single/index.html" echo " - ccutil: file://$GUIDE_DIR/build/tmp/en-US/html-single/index.html"

View file

@ -24,8 +24,8 @@ include::topics/oidc/java/jetty9-adapter.adoc[]
include::topics/oidc/java/jetty8-adapter.adoc[] include::topics/oidc/java/jetty8-adapter.adoc[]
include::topics/oidc/java/spring-security-adapter.adoc[] include::topics/oidc/java/spring-security-adapter.adoc[]
endif::[] endif::[]
ifeval::[{project_community}==true]
include::topics/oidc/java/servlet-filter-adapter.adoc[] include::topics/oidc/java/servlet-filter-adapter.adoc[]
ifeval::[{project_community}==true]
include::topics/oidc/java/jaas.adoc[] include::topics/oidc/java/jaas.adoc[]
endif::[] endif::[]
ifeval::[{project_community}==true] ifeval::[{project_community}==true]

View file

@ -36,7 +36,7 @@ sshRealm=keycloak
---- ----
This file specifies the client application configuration, which is used by JAAS DirectAccessGrantsLoginModule from the `keycloak` JAAS realm for SSH authentication. This file specifies the client application configuration, which is used by JAAS DirectAccessGrantsLoginModule from the `keycloak` JAAS realm for SSH authentication.
. Start Fuse and install the `keycloak` JAAS realm. The easiest way is to install the `keycloak-jaas` feature, which has the JAAS realm predefined. You can override the feature's predefined realm by using your own `keycloak` JAAS realm with higher ranking. For details see the https:access.redhat.com/documentation/en-us/red_hat_jboss_fuse/6.3/html-single/security_guide/#ESBSecureContainer[JBoss Fuse documentation]. . Start Fuse and install the `keycloak` JAAS realm. The easiest way is to install the `keycloak-jaas` feature, which has the JAAS realm predefined. You can override the feature's predefined realm by using your own `keycloak` JAAS realm with higher ranking. For details see the https://access.redhat.com/documentation/en-us/red_hat_jboss_fuse/6.3/html-single/security_guide/#ESBSecureContainer[JBoss Fuse documentation].
+ +
Use these commands in the Fuse terminal: Use these commands in the Fuse terminal:
+ +

View file

@ -70,14 +70,14 @@ object, rather than the `keycloak.json` file:
[source,javascript] [source,javascript]
---- ----
let kcConfig = { let kcConfig = {
clientId: 'myclient', clientId: 'myclient',
bearerOnly: true, bearerOnly: true,
serverUrl: 'http://localhost:8080/auth', serverUrl: 'http://localhost:8080/auth',
realm: 'myrealm', realm: 'myrealm',
realmPublicKey: 'MIIBIjANB...' realmPublicKey: 'MIIBIjANB...'
}; };
let keycloak = new Keycloak({ store: memoryStore }, kcConfig); let keycloak = new Keycloak({ store: memoryStore }, kcConfig);
---- ----

View file

@ -13,51 +13,35 @@ ifeval::[{project_community}==true]
* <<_jetty8_adapter,Jetty 8>> * <<_jetty8_adapter,Jetty 8>>
endif::[] endif::[]
ifeval::[{project_community}==true]
* <<_servlet_filter_adapter,Servlet Filter>> * <<_servlet_filter_adapter,Servlet Filter>>
* <<_spring_security_adapter,Spring Security>> (community) * <<_spring_boot_adapter,Spring Boot>>
* <<_spring_boot_adapter,Spring Boot>> (community)
endif::[]
ifeval::[{project_community}==true] ifeval::[{project_community}==true]
* <<_spring_security_adapter,Spring Security>>
endif::[]
===== JavaScript (client-side) ===== JavaScript (client-side)
* <<_javascript_adapter,JavaScript>> * <<_javascript_adapter,JavaScript>>
endif::[]
===== Node.js (server-side) ===== Node.js (server-side)
* <<_nodejs_adapter,Node.js>> * <<_nodejs_adapter,Node.js>>
===== JavaScript
* <<_javascript_adapter,JavaScript>>
ifeval::[{project_community}==true]
===== Node.js
* https://github.com/keycloak/keycloak-nodejs-connect[{project_name} Connect] (community)
endif::[]
ifeval::[{project_community}==true] ifeval::[{project_community}==true]
==== C# ==== C#
* https://github.com/dylanplecki/KeycloakOwinAuthentication[OWIN] (community) * https://github.com/dylanplecki/KeycloakOwinAuthentication[OWIN] (community)
endif::[]
ifeval::[{project_community}==true]
==== Python ==== Python
* https://pypi.python.org/pypi/oic/[oidc] (generic) * https://pypi.python.org/pypi/oic/[oidc] (generic)
endif::[]
ifeval::[{project_community}==true]
==== Android ==== Android
* https://github.com/openid/AppAuth-Android[AppAuth] (generic) * https://github.com/openid/AppAuth-Android[AppAuth] (generic)
* https://github.com/aerogear/aerogear-android-authz[AeroGear] (generic) * https://github.com/aerogear/aerogear-android-authz[AeroGear] (generic)
endif::[]
ifeval::[{project_community}==true]
==== iOS ==== iOS
* https://github.com/openid/AppAuth-iOS[AppAuth] (generic) * https://github.com/openid/AppAuth-iOS[AppAuth] (generic)
* https://github.com/aerogear/aerogear-ios-oauth2[AeroGear] (generic) * https://github.com/aerogear/aerogear-ios-oauth2[AeroGear] (generic)
endif::[]
ifeval::[{project_community}==true]
===== Apache HTTP Server ===== Apache HTTP Server
* https://github.com/zmartzone/mod_auth_openidc[mod_auth_openidc] * https://github.com/zmartzone/mod_auth_openidc[mod_auth_openidc]
endif::[] endif::[]

View file

@ -3,6 +3,9 @@
== Token Exchange == Token Exchange
:tech_feature_name: Token Exchange
include::../templates/techpreview.adoc[]
In {project_name}, token exchange is the process of using a set of credentials or token to obtain an entirely different token. In {project_name}, token exchange is the process of using a set of credentials or token to obtain an entirely different token.
A client may want to invoke on a less trusted application so it may want to downgrade the current token it has. A client may want to invoke on a less trusted application so it may want to downgrade the current token it has.
A client may want to exchange a {project_token} for a token stored for a linked social provider account. A client may want to exchange a {project_token} for a token stored for a linked social provider account.

View file

@ -2,6 +2,9 @@
=== Fine Grain Admin Permissions === Fine Grain Admin Permissions
:tech_feature_name: Fine Grain Admin Permissions
include::../templates/techpreview.adoc[]
Sometimes roles like `manage-realm` or `manage-users` are too coarse grain and you want to create Sometimes roles like `manage-realm` or `manage-users` are too coarse grain and you want to create
restricted admin accounts that have more fine grain permissions. {project_name} allows you to define restricted admin accounts that have more fine grain permissions. {project_name} allows you to define
and assign restricted access policies for managing a realm. Things like: and assign restricted access policies for managing a realm. Things like:

View file

@ -24,7 +24,7 @@ Running a FreeIPA server with Docker requires this command:
docker run --name freeipa-server-container -it \ docker run --name freeipa-server-container -it \
-h server.freeipa.local -e PASSWORD=YOUR_PASSWORD \ -h server.freeipa.local -e PASSWORD=YOUR_PASSWORD \
-v /sys/fs/cgroup:/sys/fs/cgroup:ro \ -v /sys/fs/cgroup:/sys/fs/cgroup:ro \
-v /var/lib/ipa-data:/data:Z adelton/freeipa-server -v /var/lib/ipa-data:/data:Z freeipa/freeipa-server
The parameter `-h` with `server.freeipa.local` represents the FreeIPA/IdM server hostname. Be sure to change `YOUR_PASSWORD` to a password of your choosing. The parameter `-h` with `server.freeipa.local` represents the FreeIPA/IdM server hostname. Be sure to change `YOUR_PASSWORD` to a password of your choosing.

View file

@ -2,6 +2,10 @@
[[crossdc-mode]] [[crossdc-mode]]
=== Cross-Datacenter Replication Mode === Cross-Datacenter Replication Mode
:tech_feature_name: Cross-Datacenter Replication Mode
:tech_feature_disabled: false
include::../templates/techpreview.adoc[]
Cross-Datacenter Replication mode is for when you want to run {project_name} in a cluster across multiple data centers, most typically using data center sites that are in different geographic regions. When using this mode, each data center will have its own cluster of {project_name} servers. Cross-Datacenter Replication mode is for when you want to run {project_name} in a cluster across multiple data centers, most typically using data center sites that are in different geographic regions. When using this mode, each data center will have its own cluster of {project_name} servers.
This documentation will refer the following example architecture diagram to illustrate and describe a simple Cross-Datacenter Replication use case. This documentation will refer the following example architecture diagram to illustrate and describe a simple Cross-Datacenter Replication use case.

View file

@ -1,9 +1,9 @@
:project_name: Red Hat Single Sign-On :project_name: Red Hat Single Sign-On
:project_community: false :project_community: false
:project_product: true :project_product: true
:project_version: 7.2.0.DR4 :project_version: 7.2.0.GA
:project_versionMvn: 3.3.0.Final-redhat1 :project_versionMvn: 3.4.2.Final-redhat1
:project_versionNpm: 3.3.0.Final-redhat1 :project_versionNpm: 3.4.2.Final-redhat1
:project_versionDoc: 7.2 :project_versionDoc: 7.2
:project_images: rhsso-images :project_images: rhsso-images
:project_doc_base_url: https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/{project_versionDoc}/html-single :project_doc_base_url: https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/{project_versionDoc}/html-single
@ -87,4 +87,4 @@
:fuseHawtioWARVersion: hawtio-wildfly-1.4.0.redhat-630254.war :fuseHawtioWARVersion: hawtio-wildfly-1.4.0.redhat-630254.war
:subsystem_undertow_xml_urn: urn:jboss:domain:undertow:4.0 :subsystem_undertow_xml_urn: urn:jboss:domain:undertow:4.0
:saml_adapter_xsd_urn: http://www.keycloak.org/schema/keycloak_saml_adapter_1_9.xsd :saml_adapter_xsd_urn: http://www.keycloak.org/schema/keycloak_saml_adapter_1_9.xsd

View file

@ -0,0 +1,14 @@
ifeval::[{project_product}==true]
[NOTE]
====
ifeval::[{tech_feature_disabled}!=false]
{tech_feature_name} is *Technology Preview* and is not fully supported. This feature is disabled by default.
To enable start the server with `-Dkeycloak.profile=preview`. For more details see
link:{installguide_profile_link}[{installguide_profile_name}].
endif::[]
ifeval::[{tech_feature_disabled}==false]
{tech_feature_name} is *Technology Preview* and is not fully supported.
endif::[]
====
endif::[]

View file

@ -19,6 +19,7 @@ In summary:
ifeval::[{project_product}==true] ifeval::[{project_product}==true]
Each step is described in more detail below the list of changes. Each step is described in more detail below the list of changes.
include::rhsso/migrate_themes-changes-72.adoc[leveloffset=0]
include::rhsso/migrate_themes-changes-71.adoc[leveloffset=0] include::rhsso/migrate_themes-changes-71.adoc[leveloffset=0]
endif::[] endif::[]

View file

@ -2,7 +2,7 @@
== Introduction == Introduction
Red Hat Single Sign-On (RH-SSO) 7.1 is based on the Keycloak project and provides security for your web applications by Red Hat Single Sign-On (RH-SSO) 7.2 is based on the Keycloak project and provides security for your web applications by
providing Web single sign-on capabilities based on popular standards such as SAML 2.0, OpenID Connect, and OAuth 2.0. providing Web single sign-on capabilities based on popular standards such as SAML 2.0, OpenID Connect, and OAuth 2.0.
The Red Hat Single Sign-On Server can act as a SAML or OpenID Connect-based identity provider, mediating with your The Red Hat Single Sign-On Server can act as a SAML or OpenID Connect-based identity provider, mediating with your
enterprise user directory or third-party SSO provider for identity information and your applications using standards-based enterprise user directory or third-party SSO provider for identity information and your applications using standards-based
@ -14,30 +14,30 @@ RH-SSO instances from a single control point. The upgrade process differs depend
implemented. Specific instructions for each mode are provided where applicable. implemented. Specific instructions for each mode are provided where applicable.
The purpose of this guide is to document the steps that are required to successfully upgrade from The purpose of this guide is to document the steps that are required to successfully upgrade from
Red Hat Single Sign-On 7.0 to Red Hat Single Sign-On 7.1. Red Hat Single Sign-On 7.1 to Red Hat Single Sign-On 7.2.
=== About Upgrades === About Upgrades
==== Major Upgrades ==== Major Upgrades
A major upgrade or migration is required when RH-SSO is upgraded from one major release to another, for example, from A major upgrade or migration is required when RH-SSO is upgraded from one major release to another, for example, from
Red Hat Single Sign-On 7.0 to Red Hat Single Sign-On 8.0. There may be breaking API changes between major releases Red Hat Single Sign-On 7.2 to Red Hat Single Sign-On 8.0. There may be breaking API changes between major releases
that could require rewriting parts of applications or server extensions. that could require rewriting parts of applications or server extensions.
==== Minor Updates ==== Minor Updates
Red Hat Single Sign-On periodically provides point releases, which are minor updates that include bug fixes, security Red Hat Single Sign-On periodically provides point releases, which are minor updates that include bug fixes, security
fixes, and new features. If you plan to upgrade from one Red Hat Single Sign-On point release to another, for example, fixes, and new features. If you plan to upgrade from one Red Hat Single Sign-On point release to another, for example,
from Red Hat Single Sign-On 7.0 to Red Hat Single Sign-On 7.1, code changes should not be required for applications or from Red Hat Single Sign-On 7.1 to Red Hat Single Sign-On 7.2, code changes should not be required for applications or
custom server extensions as long as no private, unsupported, or tech preview APIs are used. custom server extensions as long as no private, unsupported, or tech preview APIs are used.
==== Micro Updates ==== Micro Updates
Red Hat Single Sign-On 7 also periodically provides micro releases that contain bug and security fixes. Red Hat Single Sign-On 7 also periodically provides micro releases that contain bug and security fixes.
Micro releases increment the minor release version by the last digit, for example from 7.1.0 to 7.1.1. These release Micro releases increment the minor release version by the last digit, for example from 7.2.0 to 7.2.1. These release
do not require migration and should not impact the server configuration files. The patch management system for ZIP do not require migration and should not impact the server configuration files. The patch management system for ZIP
installations can also rollback the patch and server configuration. installations can also rollback the patch and server configuration.
A micro release only contains the artifacts that have changed. For example if Red Hat Single Sign-On 7.1.1 contains changes to A micro release only contains the artifacts that have changed. For example if Red Hat Single Sign-On 7.2.1 contains changes to
the server and the JavaScript adapter, but not the EAP adapter, only the server and JavaScript adapter are released and require the server and the JavaScript adapter, but not the EAP adapter, only the server and JavaScript adapter are released and require
updating. updating.

View file

@ -1,4 +1,4 @@
The changes that have been made for RH-SSO 7.1 include: ===== Theme changes RH-SSO 7.1
**Templates** **Templates**
@ -22,4 +22,4 @@ The changes that have been made for RH-SSO 7.1 include:
**Styles** **Styles**
* Account: account.css * Account: account.css
* Login: login.css * Login: login.css

View file

@ -0,0 +1,51 @@
===== Theme changes RH-SSO 7.2
**Templates**
* Account: account.ftl
* Account: applications.ftl
* Account: federatedIdentity.ftl
* Account: password.ftl
* Account: sessions.ftl
* Account: template.ftl
* Account: totp.ftl
* Admin: index.ftl
* Email: email-test.ftl (new)
* Email: email-verification.ftl
* Email: event-login_error.ftl
* Email: event-removed_totp.ftl
* Email: event-update_password.ftl
* Email: event-update_totp.ftl
* Email: executeActions.ftl
* Email: identity-provider-link.ftl
* Email: password-reset.ftl
* Login: bypass_kerberos.ftl (removed)
* Login: error.ftl
* Login: info.ftl
* Login: login-config-totp.ftl
* Login: login-idp-link-email.ftl
* Login: login-oauth-grant.ftl
* Login: login-page-expired.ftl (new)
* Login: login-reset-password.ftl
* Login: login-totp.ftl
* Login: login-update-password.ftl
* Login: login-update-profile.ftl
* Login: login-verify-email.ftl
* Login: login-x509-info.ftl (new)
* Login: login.ftl (new)
* Login: register.ftl (new)
* Login: template.ftl (new)
* Login: terms.ftl (new)
**Messages**
* Account: messages_en.properties
* Admin: admin-messages_en.properties
* Admin: messages_en.properties
* Email: messages_en.properties
* Login: messages_en.properties
**Styles**
* Account: account.css
* Login: login.css