Addressing Server Admin review comments
Closes #24643 Signed-off-by: AndyMunro <amunro@redhat.com>
This commit is contained in:
AndyMunro
Alexander Schwartz
parent
1b12fe132b
commit
20f5edc708
13 changed files with 44 additions and 37 deletions
Binary file not shown.
|
Before Width: | Height: | Size: 51 KiB After Width: | Height: | Size: 97 KiB |
|
|
@ -7,7 +7,7 @@
|
|||
[role="_additional-resources"]
|
||||
.Additional resources
|
||||
|
||||
* The Account Console can be configured in terms of appearance and language preferences. An example is adding attributes to the *Personal info* page by clicking *Personal info* link and completing and saving details. For more information, see reference:{developerguide_link}[{developerguide_name}].
|
||||
* The Account Console can be configured in terms of appearance and language preferences. An example is adding attributes to the *Personal info* page by clicking *Personal info* link and completing and saving details. For more information, see {developerguide_link}[{developerguide_name}].
|
||||
|
||||
=== Accessing the Account Console
|
||||
|
||||
|
|
|
|||
|
|
@ -948,7 +948,7 @@ Use the client ID to construct an endpoint URI, such as `clients/ID/client-secre
|
|||
For example:
|
||||
[options="nowrap"]
|
||||
----
|
||||
$ kcadm.sh get clients/$CID/client-secret
|
||||
$ kcadm.sh get clients/$CID/client-secret -r demorealm
|
||||
----
|
||||
|
||||
[discrete]
|
||||
|
|
@ -959,7 +959,7 @@ Use the client ID to construct an endpoint URI, such as `clients/ID/client-secre
|
|||
For example:
|
||||
[options="nowrap"]
|
||||
----
|
||||
$ kcadm.sh create clients/$CID/client-secret
|
||||
$ kcadm.sh create clients/$CID/client-secret -r demorealm
|
||||
----
|
||||
|
||||
[discrete]
|
||||
|
|
@ -970,7 +970,7 @@ Use the client ID to construct an endpoint URI, such as `clients/ID`.
|
|||
For example:
|
||||
[options="nowrap"]
|
||||
----
|
||||
$ kcadm.sh update clients/$CID -s "secret=newSecret"
|
||||
$ kcadm.sh update clients/$CID -s "secret=newSecret" -r demorealm
|
||||
----
|
||||
|
||||
[discrete]
|
||||
|
|
@ -1272,7 +1272,7 @@ For example:
|
|||
+
|
||||
[options="nowrap"]
|
||||
----
|
||||
$kcadm get users/6da5ab89-3397-4205-afaa-e201ff638f9e/sessions
|
||||
$ kcadm.sh get users/6da5ab89-3397-4205-afaa-e201ff638f9e/sessions -r demorealm
|
||||
----
|
||||
|
||||
[discrete]
|
||||
|
|
@ -1286,7 +1286,7 @@ For example:
|
|||
+
|
||||
[options="nowrap"]
|
||||
----
|
||||
$ kcadm.sh delete sessions/d0eaa7cc-8c5d-489d-811a-69d3c4ec84d1
|
||||
$ kcadm.sh delete sessions/d0eaa7cc-8c5d-489d-811a-69d3c4ec84d1 -r demorealm
|
||||
----
|
||||
|
||||
[discrete]
|
||||
|
|
@ -1919,7 +1919,7 @@ $ kcadm.sh get authentication/flows/Copy%20of%20browser/executions -r demorealm
|
|||
For example:
|
||||
[options="nowrap"]
|
||||
----
|
||||
$ kcadm create "authentication/executions/a3147129-c402-4760-86d9-3f2345e401c7/config" -r examplerealm -b '{"config":{"x509-cert-auth.mapping-source-selection":"Match SubjectDN using regular expression","x509-cert-auth.regular-expression":"(.*?)(?:$)","x509-cert-auth.mapper-selection":"Custom Attribute Mapper","x509-cert-auth.mapper-selection.user-attribute-name":"usercertificate","x509-cert-auth.crl-checking-enabled":"","x509-cert-auth.crldp-checking-enabled":false,"x509-cert-auth.crl-relative-path":"crl.pem","x509-cert-auth.ocsp-checking-enabled":"","x509-cert-auth.ocsp-responder-uri":"","x509-cert-auth.keyusage":"","x509-cert-auth.extendedkeyusage":"","x509-cert-auth.confirmation-page-disallowed":""},"alias":"my_otp_config"}'
|
||||
$ kcadm.sh create "authentication/executions/a3147129-c402-4760-86d9-3f2345e401c7/config" -r demorealm -b '{"config":{"x509-cert-auth.mapping-source-selection":"Match SubjectDN using regular expression","x509-cert-auth.regular-expression":"(.*?)(?:$)","x509-cert-auth.mapper-selection":"Custom Attribute Mapper","x509-cert-auth.mapper-selection.user-attribute-name":"usercertificate","x509-cert-auth.crl-checking-enabled":"","x509-cert-auth.crldp-checking-enabled":false,"x509-cert-auth.crl-relative-path":"crl.pem","x509-cert-auth.ocsp-checking-enabled":"","x509-cert-auth.ocsp-responder-uri":"","x509-cert-auth.keyusage":"","x509-cert-auth.extendedkeyusage":"","x509-cert-auth.confirmation-page-disallowed":""},"alias":"my_otp_config"}'
|
||||
----
|
||||
|
||||
|
||||
|
|
@ -1933,7 +1933,7 @@ $ kcadm create "authentication/executions/a3147129-c402-4760-86d9-3f2345e401c7/c
|
|||
For example:
|
||||
[options="nowrap"]
|
||||
----
|
||||
$ kcadm get "authentication/config/dd91611a-d25c-421a-87e2-227c18421833" -r examplerealm
|
||||
$ kcadm get "authentication/config/dd91611a-d25c-421a-87e2-227c18421833" -r demorealm
|
||||
----
|
||||
|
||||
|
||||
|
|
@ -1948,7 +1948,7 @@ $ kcadm get "authentication/config/dd91611a-d25c-421a-87e2-227c18421833" -r exam
|
|||
For example:
|
||||
[options="nowrap"]
|
||||
----
|
||||
$ kcadm update "authentication/config/dd91611a-d25c-421a-87e2-227c18421833" -r examplerealm -b '{"id":"dd91611a-d25c-421a-87e2-227c18421833","alias":"my_otp_config","config":{"x509-cert-auth.extendedkeyusage":"","x509-cert-auth.mapper-selection.user-attribute-name":"usercertificate","x509-cert-auth.ocsp-responder-uri":"","x509-cert-auth.regular-expression":"(.*?)(?:$)","x509-cert-auth.crl-checking-enabled":"true","x509-cert-auth.confirmation-page-disallowed":"","x509-cert-auth.keyusage":"","x509-cert-auth.mapper-selection":"Custom Attribute Mapper","x509-cert-auth.crl-relative-path":"crl.pem","x509-cert-auth.crldp-checking-enabled":"false","x509-cert-auth.mapping-source-selection":"Match SubjectDN using regular expression","x509-cert-auth.ocsp-checking-enabled":""}}'
|
||||
$ kcadm update "authentication/config/dd91611a-d25c-421a-87e2-227c18421833" -r demorealm -b '{"id":"dd91611a-d25c-421a-87e2-227c18421833","alias":"my_otp_config","config":{"x509-cert-auth.extendedkeyusage":"","x509-cert-auth.mapper-selection.user-attribute-name":"usercertificate","x509-cert-auth.ocsp-responder-uri":"","x509-cert-auth.regular-expression":"(.*?)(?:$)","x509-cert-auth.crl-checking-enabled":"true","x509-cert-auth.confirmation-page-disallowed":"","x509-cert-auth.keyusage":"","x509-cert-auth.mapper-selection":"Custom Attribute Mapper","x509-cert-auth.crl-relative-path":"crl.pem","x509-cert-auth.crldp-checking-enabled":"false","x509-cert-auth.mapping-source-selection":"Match SubjectDN using regular expression","x509-cert-auth.ocsp-checking-enabled":""}}'
|
||||
----
|
||||
|
||||
|
||||
|
|
@ -1963,5 +1963,5 @@ $ kcadm update "authentication/config/dd91611a-d25c-421a-87e2-227c18421833" -r e
|
|||
For example:
|
||||
[options="nowrap"]
|
||||
----
|
||||
$ kcadm delete "authentication/config/dd91611a-d25c-421a-87e2-227c18421833" -r examplerealm
|
||||
$ kcadm delete "authentication/config/dd91611a-d25c-421a-87e2-227c18421833" -r demorealm
|
||||
----
|
||||
|
|
|
|||
|
|
@ -85,17 +85,17 @@ You can copy and then modify an existing flow. Click the "Action list" (the thre
|
|||
|
||||
When creating a new flow, you must create a top-level flow first with the following options:
|
||||
|
||||
Alias::
|
||||
Name::
|
||||
The name of the flow.
|
||||
Description::
|
||||
The description you can set to the flow.
|
||||
Top-Level Flow Type::
|
||||
The type of flow. The type *client* is used only for the authentication of clients (applications). For all other cases, choose *generic*.
|
||||
The type of flow. The type *client* is used only for the authentication of clients (applications). For all other cases, choose *basic*.
|
||||
|
||||
.Create a top-level flow
|
||||
image:images/Create-top-level-flow.png[Top Level Flow]
|
||||
|
||||
When {project_name} has created the flow, {project_name} displays the *Add step*, and *Add flow* buttons.
|
||||
When {project_name} has created the flow, {project_name} displays the *Add step*, and *Add sub-flow* buttons.
|
||||
|
||||
.An empty new flow
|
||||
image:images/New-flow.png[New Flow]
|
||||
|
|
@ -106,7 +106,7 @@ Three factors determine the behavior of flows and sub-flows.
|
|||
* The executions within the flows
|
||||
* The requirements set within the sub-flows and the executions.
|
||||
|
||||
Executions have a wide variety of actions, from sending a reset email to validating an OTP. Add executions with the *Add step* button. Hover over the question mark next to *Provider*, to see a description of the execution.
|
||||
Executions have a wide variety of actions, from sending a reset email to validating an OTP. Add executions with the *Add step* button.
|
||||
|
||||
.Adding an authentication execution
|
||||
image:images/Create-authentication-execution.png[Adding an Authentication Execution]
|
||||
|
|
@ -114,7 +114,7 @@ image:images/Create-authentication-execution.png[Adding an Authentication Execut
|
|||
Two types of executions exist, _automatic executions_ and _interactive executions_. _Automatic executions_ are similar to the *Cookie* execution and will automatically
|
||||
perform their action in the flow. _Interactive executions_ halt the flow to get input. Executions executing successfully set their status to _success_. For a flow to complete, it needs at least one execution with a status of _success_.
|
||||
|
||||
You can add sub-flows to top-level flows with the *Add flow* button. The *Add flow* button displays the *Create Execution Flow* page. This page is similar to the *Create Top Level Form* page. The difference is that the *Flow Type* can be *generic* (default) or *form*. The *form* type constructs a sub-flow that generates a form for the user, similar to the built-in *Registration* flow.
|
||||
You can add sub-flows to top-level flows with the *Add sub-flow* button. The *Add sub-flow* button displays the *Create Execution Flow* page. This page is similar to the *Create Top Level Form* page. The difference is that the *Flow Type* can be *basic* (default) or *form*. The *form* type constructs a sub-flow that generates a form for the user, similar to the built-in *Registration* flow.
|
||||
Sub-flows success depends on how their executions evaluate, including their contained sub-flows. See the <<_execution-requirements, execution requirements section>> for an in-depth explanation of how sub-flows work.
|
||||
|
||||
[NOTE]
|
||||
|
|
@ -122,8 +122,7 @@ Sub-flows success depends on how their executions evaluate, including their cont
|
|||
After adding an execution, check the requirement has the correct value.
|
||||
====
|
||||
|
||||
All elements in a flow have a *Delete* option in the *Actions* menu. This action removes the element from the flow.
|
||||
Executions have a *⚙️* menu item (the gear icon) to configure the execution. It is also possible to add executions and sub-flows to sub-flows with the *Add step* and *Add flow* links.
|
||||
All elements in a flow have a *Delete* option next to the element. Some executions have a *⚙️* menu item (the gear icon) to configure the execution. It is also possible to add executions and sub-flows to sub-flows with the *Add step* and *Add sub-flow* links.
|
||||
|
||||
Since the order of execution is important, you can move executions and sub-flows up and down by dragging their names.
|
||||
|
||||
|
|
@ -181,7 +180,7 @@ At this stage, the form requires a username but no password. We must enable pass
|
|||
. Select *Required* for the *Authentication* authentication type to set its requirement to required.
|
||||
. Click *+* menu of the *Authentication* sub-flow.
|
||||
. Click *Add step*.
|
||||
. Select *Webauthn Passwordless Authenticator* from the list.
|
||||
. Select *WebAuthn Passwordless Authenticator* from the list.
|
||||
. Click *Add*.
|
||||
. Select *Alternative* for the *Webauthn Passwordless Authenticator* authentication type to set its requirement to alternative.
|
||||
. Click *+* menu of the *Authentication* sub-flow.
|
||||
|
|
@ -262,7 +261,6 @@ Now you configure the flow for the first authentication level.
|
|||
. Select *Conditional - Level Of Authentication* from the list.
|
||||
. Click *Add*.
|
||||
. Click *Required* for the *Conditional - Level Of Authentication* authentication type to set its requirement to required.
|
||||
. Click *+* menu of the *Conditional - Level Of Authentication*.
|
||||
. Click *⚙️* (gear icon).
|
||||
. Enter `Level 1` as an alias.
|
||||
. Enter `1` for the Level of Authentication (LoA).
|
||||
|
|
|
|||
|
|
@ -1,9 +1,15 @@
|
|||
|
||||
=== One Time Password (OTP) policies
|
||||
|
||||
{project_name} has several policies for setting up a FreeOTP or Google Authenticator One-Time Password generator. Click the *Authentication* menu and click the *OTP Policy* tab.
|
||||
{project_name} has several policies for setting up a FreeOTP or Google Authenticator One-Time Password generator.
|
||||
|
||||
.Otp policy
|
||||
.Procedure
|
||||
|
||||
. Click *Authentication* in the menu.
|
||||
. Click the *Policy* tab.
|
||||
. Click the *OTP Policy* tab.
|
||||
|
||||
.Otp Policy
|
||||
image:images/otp-policy.png[OTP Policy]
|
||||
|
||||
{project_name} generates a QR code on the OTP set-up page, based on information configured in the *OTP Policy* tab. FreeOTP and Google Authenticator scan the QR code when configuring OTP.
|
||||
|
|
|
|||
|
|
@ -59,7 +59,6 @@ Users can log in with WebAuthn if they have a WebAuthn credential registered onl
|
|||
. Click *+* menu of the *WebAuthn Browser Forms* row.
|
||||
. Click *Add sub-flow*.
|
||||
. Enter "Conditional 2FA" for the _name_ field.
|
||||
. On the *WebAuthn Browser Forms* row, click the plus sign + and select *Add step*.
|
||||
. Select *Conditional* for the *Conditional 2FA* to set its requirement to conditional.
|
||||
. On the *Conditional 2FA* row, click the plus sign + and select *Add condition*.
|
||||
. Click *Add condition*.
|
||||
|
|
@ -75,7 +74,6 @@ The user can choose between using WebAuthn and OTP for the second factor:
|
|||
|
||||
.Procedure
|
||||
. On the *Conditional 2FA* row, click the plus sign + and select *Add step*.
|
||||
. Click *Add step*.
|
||||
. Select *OTP Form* from the list.
|
||||
. Click *Add*.
|
||||
. Select *Alternative* for the *OTP Form* to set its requirement to alternative.
|
||||
|
|
|
|||
|
|
@ -8,7 +8,7 @@ If your system is compromised, you can revoke all active sessions and access tok
|
|||
|
||||
.Procedure
|
||||
. Click *Sessions* in the menu.
|
||||
. From the *Actions* list, select *Sign out all active sessions*.
|
||||
. From the *Actions* list, select *Revocation*.
|
||||
+
|
||||
.Revocation
|
||||
image:images/revocation.png[Revocation]
|
||||
|
|
|
|||
|
|
@ -18,7 +18,5 @@ Alternatively, you can send an email to the user that requests the user reset th
|
|||
. Select a user.
|
||||
. Click the *Credentials* tab.
|
||||
. Click *Credential Reset*.
|
||||
. Select *Configure OTP*.
|
||||
. Navigate to the *Reset Actions* list.
|
||||
. Click *Configure OTP*.
|
||||
. Set *Reset Actions* to *Configure OTP*.
|
||||
. Click *Send Email*. The sent email contains a link that directs the user to the *OTP setup page*.
|
||||
|
|
|
|||
|
|
@ -11,7 +11,6 @@ You can delete a user, who no longer needs access to applications. If a user is
|
|||
.Procedure
|
||||
. Click *Users* in the menu. The *Users* page is displayed.
|
||||
. Click *View all users* to find a user to delete.
|
||||
. Click *Users* in the menu. The *Users* page is displayed.
|
||||
+
|
||||
NOTE: Alternatively, you can use the search bar to find a user.
|
||||
+
|
||||
|
|
|
|||
|
|
@ -12,6 +12,5 @@ Enable users to self-register.
|
|||
. Click *Realm Settings* in the main menu.
|
||||
. Click the *Login* tab.
|
||||
. Toggle *User Registration* to *ON*.
|
||||
. Click *Save*.
|
||||
|
||||
After you enable this setting, a *Register* link displays on the login page of the Admin Console.
|
||||
|
|
@ -18,4 +18,4 @@ image:images/registration-form.png[]
|
|||
. Click the *Register* link on the login page. The registration page is displayed.
|
||||
. Enter the user profile information.
|
||||
. Enter the new password.
|
||||
. Click *Save*.
|
||||
. Click *Register*.
|
||||
|
|
|
|||
|
|
@ -16,7 +16,8 @@ image:images/registration-form-with-required-tac.png[]
|
|||
* Terms and conditions required action is enabled.
|
||||
|
||||
.Procedure
|
||||
. Click the *Flows* tab.
|
||||
. Click *Authentication* in the menu.
|
||||
Click the *Flows* tab.
|
||||
. Click the *registration* flow.
|
||||
. Select *Required* on the *Terms and Conditions* row.
|
||||
+
|
||||
|
|
|
|||
|
|
@ -18,9 +18,17 @@ If a user already has a password, it can be reset in the *Reset Password* sectio
|
|||
. Click *Set Password*.
|
||||
+
|
||||
NOTE: If *Temporary* is *ON*, the user must change the password at the first login. To allow users to keep the password supplied, set *Temporary* to *OFF.* The user must click *Set Password* to change the password.
|
||||
+
|
||||
. Alternatively, you can send an email to the user that requests the user reset the password.
|
||||
.. Click *Credential Reset*.
|
||||
.. Select *Update Password* from the list.
|
||||
.. Click *Send Email*. The sent email contains a link that directs the user to the *Update Password* window.
|
||||
.. Optionally, you can set the validity of the email link. This is set to the default preset in the *Tokens* tab in *Realm Settings*.
|
||||
|
||||
= Requesting a user reset a password
|
||||
|
||||
You can also request that the user reset the password.
|
||||
|
||||
.Procedure
|
||||
|
||||
. Click *Users* in the menu. The *Users* page is displayed.
|
||||
. Select a user.
|
||||
. Click the *Credentials* tab.
|
||||
. Click *Credential Reset*.
|
||||
. Select *Update Password* from the list.
|
||||
. Click *Send Email*. The sent email contains a link that directs the user to the *Update Password* window.
|
||||
. Optionally, you can set the validity of the email link. This is set to the default preset in the *Tokens* tab in *Realm Settings*.
|
||||
|
|
|
|||
Loading…
Reference in a new issue