[KEYCLOAK-9554] - Add X.509 authenticator option for canonical DN
- added documentation for the new option - updated the configuration picture - corrected the provider value to select in section "Adding X.509 Client Certificate Authentication to a Browser Flow"
This commit is contained in:
parent
4005d205e2
commit
335f690012
2 changed files with 7 additions and 1 deletions
Binary file not shown.
Before Width: | Height: | Size: 62 KiB After Width: | Height: | Size: 46 KiB |
|
@ -142,7 +142,7 @@ If set to `REQUESTED`, the server will optionally ask for a client certificate.
|
||||||
* Select a realm, click on Authentication link, select the "Browser" flow
|
* Select a realm, click on Authentication link, select the "Browser" flow
|
||||||
* Make a copy of the built-in "Browser" flow. You may want to give the new flow a distinctive name, i.e. "X.509 Browser"
|
* Make a copy of the built-in "Browser" flow. You may want to give the new flow a distinctive name, i.e. "X.509 Browser"
|
||||||
* Using the drop down, select the copied flow, and click on "Add execution"
|
* Using the drop down, select the copied flow, and click on "Add execution"
|
||||||
* Select "X509/Validate User Form" using the drop down and click on "Save"
|
* Select "X509/Validate Username Form" using the drop down and click on "Save"
|
||||||
|
|
||||||
image:images/x509-execution.png[]
|
image:images/x509-execution.png[]
|
||||||
|
|
||||||
|
@ -161,6 +161,12 @@ image:images/x509-configuration.png[]
|
||||||
`User Identity Source`::
|
`User Identity Source`::
|
||||||
Defines how to extract the user identity from a client certificate.
|
Defines how to extract the user identity from a client certificate.
|
||||||
|
|
||||||
|
`Canonical DN representation enabled` (optional)::
|
||||||
|
Defines whether to use the canonical format to determine a distinguished name.
|
||||||
|
The format is described in detail in the official link:https://docs.oracle.com/javase/8/docs/api/javax/security/auth/x500/X500Principal.html#getName-java.lang.String-[Java API documentation] .
|
||||||
|
This option only affects the two User Identity Sources _Match SubjectDN using regular expression_ and _Match IssuerDN using regular expression_.
|
||||||
|
If you setup a new keycloak instance it is recommended to enable this option. Leave this option disabled to remain beckward compatible with existing Keycloak instances.
|
||||||
|
|
||||||
`A regular expression` (optional)::
|
`A regular expression` (optional)::
|
||||||
Defines a regular expression to use as a filter to extract the certificate identity. The regular expression must contain a single group.
|
Defines a regular expression to use as a filter to extract the certificate identity. The regular expression must contain a single group.
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue