This commit is contained in:
Bill Burke 2016-05-31 22:01:13 -04:00
parent e29603bb7d
commit 4499df5ba4
9 changed files with 14 additions and 12 deletions

View file

@ -82,7 +82,7 @@ you have that file already available.
===== Enable SPNEGO Processing
{{book.project.name}} does not have SPNEGO protocol support turned on by default. So, you have to go to the <<../../authentication/flows.adoc#_authentication-flows, browser flow>>
{{book.project.name}} does not have SPNEGO protocol support turned on by default. So, you have to go to the <<fake/../../authentication/flows.adoc#_authentication-flows, browser flow>>
and enable `Kerberos`.
.browser flow
@ -95,7 +95,7 @@ to _required_ then all users must have Kerberos enabled for their browser.
===== Configure Kerberos User Storage Federation Provider
Now that the SPNEGO protocol is turned on at the authentication server, you'll need to configure how {{book.project.name}} interprets the Kerberos ticket.
This is done through <../../user-federation.adoc#_user-storage-federation,User Storage Federation>>. We have 2 different federation providers with Kerberos authentication support.
This is done through <fake/../../user-federation.adoc#_user-storage-federation,User Storage Federation>>. We have 2 different federation providers with Kerberos authentication support.
If you want to authenticate with Kerberos backed by an LDAP server, you have to first configure the <<fake/../../user-federation/ldap.adoc#_ldap, LDAP Federation Provider>>.
If you look at the configuration page for your LDAP provider you'll see a `Kerberos Integration` section.

View file

@ -85,7 +85,7 @@ Remember that you still have to click the `Save` button!
Only wildcards, * ,are allowed at the end of of a URI, i.e. http://host.com/*
You should take extra precautions when registering valid redirect URI patterns as if you make
them too general you are vulnerable to attacks. See <<fake/../../threat/redirect.adoc#_unspecific-redirect-uris, Security Vulnerabilities>> chapter
them too general you are vulnerable to attacks. See <<fake/../../threat/redirect.adoc#_unspecific-redirect-uris, Threat Model Mitigation>> chapter
for more information.
*Base URL*

View file

@ -24,7 +24,7 @@ The token can be a standard bearer token, a initial access token or a registrati
===== Bearer Token
The bearertoken can be issued on behalf of a user or a Service Account.
The following permissions are required to invoke the endpoints (see <<_admin_permissions,Admin Permissions>> for more details):
The following permissions are required to invoke the endpoints (see <<fake/../../admin-console-permissions.adoc#_admin_permissions,Admin Permissions>> for more details):
* create-client
+`manage-client`
@ -32,7 +32,8 @@ The following permissions are required to invoke the endpoints (see <<_admin_per
+`manage-client`
* manage-client
If you are using a regular bearer token to create clients we recommend using a token from on behalf of a Service Account with only the `create-client` role. See the <<fake/../../clients/oidc/service-accounts.adoc#_service_accounts,Service Accounts>> section for more details.
If you are using a regular bearer token to create clients we recommend using a token from on behalf of a Service Account with only the `create-client` role.
See the <<fake/../../clients/oidc/service-accounts.adoc#_service_accounts,Service Accounts>> section for more details.
===== Initial Access Token

View file

@ -34,7 +34,7 @@ Consent::
Consent Text::
If your client requires consent and the `Consent` switch is on, this is the text that will be displayed by the user.
The value for this text is localizable by specifying a substitution variable with `$\{var-name}}` strings. The
localized value is then configured within property files in your theme. See the link:{{book.developerguide.link}}[book.developerguide.name]
localized value is then configured within property files in your theme. See the link:{{book.developerguide.link}}[{{book.developerguide.name}}]
for more information on localization.
Most OIDC mappers also allow you to control where the claim gets put. You can opt to include or exclude the claim from both the
@ -43,7 +43,7 @@ _id_ and _access_ tokens by fiddling with the `Add to ID token` and `Add to acce
Finaly, you can also add other mapper types. if you go back to the `Mappers` tab, click the `Create` button.
.Add Mapper
image:../../{{book.images}}/add-mapper[]
image:../../{{book.images}}/add-mapper.png[]
Pick a `Mapper Type` from the list box. If you hover over the tooltip, you'll see a description of what that mapper type does.
Different config parameters will appear for different mapper types.

View file

@ -2,7 +2,7 @@
==== Default Groups
Default groups allow you to automatically assign group membership whenever any new user is created or imported through
<<fake/../../../user-federation.adoc#_user-federation, User Federation>> or <<fake/../../../identity-broker.adoc_identity-broker, Identity Brokering>>.
<<fake/../../user-federation.adoc#_user-storage-federation, User Storage Federation>> or <<fake/../../identity-broker.adoc#_identity-brokering, Identity Brokering>>.
To specify _default groups go to the `Groups` left menu item, and click the `Default Groups` tab.
.Default Roles

View file

@ -12,8 +12,8 @@ and hit the `Save` button.
.Add Role
image:../../{{book.images}}/role.png[]
The value for the `description` field is localizable by specifying a substitution variable with `$\{var-name}}` strings.
The localized value is then configured within property files in your theme. See the link:{{book.developerguide.link}}[book.developerguide.name]
The value for the `description` field is localizable by specifying a substitution variable with `$\{var-name}` strings.
The localized value is then configured within property files in your theme. See the link:{{book.developerguide.link}}[{{book.developerguide.name}}]
for more information on localization. If a client requires user _consent_, this description string will be displayed on the
consent page for the user.

View file

@ -23,5 +23,5 @@ in as the user being impersonated. If the admin and user are not in the same re
be logged in as the user in that user's realm. In both cases, the browser will be redirected to the impersonated user's User Accoutn Management
page.
Any user with the realm's `impersonation` role can impersonate a user. Please see the <<fake/../../admin-permissions.adoc#_admin-permissions,Admin Permissions>> chapter
Any user with the realm's `impersonation` role can impersonate a user. Please see the <<fake/../../admin-console-permissions.adoc#_admin_permissions,Admin Console Access Control>> chapter
for more details on assigning administration permissions.

View file

@ -27,7 +27,7 @@ action name. Also remember to click the `Save` button after you've decided what
==== Default Required Actions
You can also specify required actions that will be added to an account whenever a new user is created, i.e. through the `Add User` button the user
list screen, or via the <<fake/../../registration.adoc#_registration, user registration>> link on the login page. To specify
list screen, or via the <<fake/../../users/user-registration.adoc#_user-registration, user registration>> link on the login page. To specify
the default required actions go to the `Authentication` left menu item and click on the `Required Actions` tab.
.Default Required Actions

View file

@ -1,3 +1,4 @@
[[_user-registration]]
=== User Registration