[KEYCLOAK-9554] - Add X.509 authenticator option for canonical DN

- added documentation for the new option
- updated the configuration picture
- corrected the provider value to select in section "Adding X.509 Client
  Certificate Authentication to a Browser Flow"
This commit is contained in:
Sebastian Loesch 2019-02-14 14:44:51 +01:00 committed by Stian Thorgersen
parent 4005d205e2
commit 335f690012
2 changed files with 7 additions and 1 deletions

Binary file not shown.

Before

Width:  |  Height:  |  Size: 62 KiB

After

Width:  |  Height:  |  Size: 46 KiB

View file

@ -142,7 +142,7 @@ If set to `REQUESTED`, the server will optionally ask for a client certificate.
* Select a realm, click on Authentication link, select the "Browser" flow * Select a realm, click on Authentication link, select the "Browser" flow
* Make a copy of the built-in "Browser" flow. You may want to give the new flow a distinctive name, i.e. "X.509 Browser" * Make a copy of the built-in "Browser" flow. You may want to give the new flow a distinctive name, i.e. "X.509 Browser"
* Using the drop down, select the copied flow, and click on "Add execution" * Using the drop down, select the copied flow, and click on "Add execution"
* Select "X509/Validate User Form" using the drop down and click on "Save" * Select "X509/Validate Username Form" using the drop down and click on "Save"
image:images/x509-execution.png[] image:images/x509-execution.png[]
@ -161,6 +161,12 @@ image:images/x509-configuration.png[]
`User Identity Source`:: `User Identity Source`::
Defines how to extract the user identity from a client certificate. Defines how to extract the user identity from a client certificate.
`Canonical DN representation enabled` (optional)::
Defines whether to use the canonical format to determine a distinguished name.
The format is described in detail in the official link:https://docs.oracle.com/javase/8/docs/api/javax/security/auth/x500/X500Principal.html#getName-java.lang.String-[Java API documentation] .
This option only affects the two User Identity Sources _Match SubjectDN using regular expression_ and _Match IssuerDN using regular expression_.
If you setup a new keycloak instance it is recommended to enable this option. Leave this option disabled to remain beckward compatible with existing Keycloak instances.
`A regular expression` (optional):: `A regular expression` (optional)::
Defines a regular expression to use as a filter to extract the certificate identity. The regular expression must contain a single group. Defines a regular expression to use as a filter to extract the certificate identity. The regular expression must contain a single group.