KEYCLOAK-19177 Add docs for Allow ECP Flow switch in admin console, including note in release notes (#1455)

2022-04-20 10:08:10 +02:00 · 2022-04-20 10:08:10 +02:00 · 3fcd59e82d
commit 3fcd59e82d
parent 1c76abaab9
2 changed files with 9 additions and 0 deletions
--- a/release_notes/topics/18_0_0.adoc
+++ b/release_notes/topics/18_0_0.adoc
@ -67,6 +67,13 @@ There are more WebAuthn improvements and fixes in addition to that.
 For more details, see link:{adminguide_link}#_user_session_limits[{adminguide_name}].
 Thanks to https://github.com/mfdewit[Mauro de Wit] for the contribution.

+== SAML ECP Profile is disabled by default
+
+To mitigate the risk of abusing SAML ECP Profile, {project_name} now blocks
+this flow for all SAML clients that do not allow it explicitly. The profile
+can be enabled using _Allow ECP Flow_ flag within client configuration,
+see  link:{adminguide_link}#_client-saml-configuration[{adminguide_name}].
+
 == Quarkus distribution

 === Import realms at startup
--- a/server_admin/topics/clients/saml/proc-creating-saml-client.adoc
+++ b/server_admin/topics/clients/saml/proc-creating-saml-client.adoc
@ -72,6 +72,8 @@ This option is used when {project_name} server and adapter provide the IDP and S

 *Force Name ID Format*:: If a request has a name ID policy, ignore it and use the value configured in the Admin Console under *Name ID Format*.

+*Allow ECP Flow*:: If true, this application is allowed to use SAML ECP profile for authentication.
+
 *Name ID Format*:: The Name ID Format for the subject. This format is used if no name ID policy is specified in a request, or if the Force Name ID Format attribute is set to ON.

 *Root URL*:: When {project_name} uses a configured relative URL, this value is prepended to the URL.