SAML javascript protocol mapper: disable uploading scripts through admin console by default (#1677)

closes #1676

server_development/topics/providers.adoc

@@ -209,6 +209,7 @@ bin/kc.[sh|bat] build --spi-user-cache-infinispan-enabled=false
 * Authenticator
 * JavaScript Policy
 * OpenID Connect Protocol Mapper
+* SAML Protocol Mapper
 
 ==== Authenticator
 
@@ -296,6 +297,13 @@ The `META-INF/keycloak-scripts.json` is a file descriptor that provides metadata
             "fileName": "my-script-mapper.js",
             "description": "My Mapper from a JS file"
         }
+    ],
+    "saml-mappers": [
+        {
+            "name": "My Mapper",
+            "fileName": "my-script-mapper.js",
+            "description": "My Mapper from a JS file"
+        }
     ]
 }
 ```
@@ -313,6 +321,10 @@ For JavaScript Policies when using {project_name} Authorization Services. You ca
 * `mappers`
 +
 For OpenID Connect Script Protocol Mappers. You can have one or multiple mappers in the same JAR file
++
+* `saml-mappers`
++
+For SAML Script Protocol Mappers. You can have one or multiple mappers in the same JAR file
 
 For each script file in your `JAR` file, you need a corresponding entry in `META-INF/keycloak-scripts.json` that maps your scripts files to a specific provider type. For that you should provide the following properties for each entry:
 
@@ -380,19 +392,6 @@ cp target/keycloak-server-copy/providers/*.jar KEYCLOAK_HOME/providers/
 ```
 After re-augment the distribution with `kc.sh build`, the script engine should be deployed and your script providers should work.
 
-==== Using the {project_name} Admin Console to upload scripts
-
-NOTE: Ability to upload scripts through the Admin Console is deprecated and will be removed in a future version of {project_name}.
-
-Administrators cannot upload scripts to the server. This behavior prevents potential harm to the system in case
-malicious scripts are accidentally executed. Administrators should always deploy scripts directly to the server using a
-JAR file to prevent attacks when you run scripts at runtime.
-
-Ability to upload scripts can be explicitly enabled. This should be used with great care and plans should be created to
-deploy all scripts directly to the server as soon as possible.
-
-For more details about how to enable the `upload_scripts` feature, see the https://www.keycloak.org/server/features[Enabling and disabling features] guide.
-
 === Available SPIs
 
 If you want to see list of all available SPIs at runtime, you can check `Server Info` page in Admin Console as described in <<_providers_admin_console,Admin Console>> section.

upgrading/topics/keycloak/changes-19_0_2.adoc

@@ -11,4 +11,12 @@ bin/kc.[sh|bat] --spi-login-protocol-openid-connect-suppress-logout-confirmation
 
 With this configuration, you can still use the logout endpoint without a user prompt.
 
-WARNING: The backwards compatibility switch will be removed in some future version - probably Keycloak 23. You are encouraged to update your clients as soon as possible as described above rather than rely on this switch.
+WARNING: The backwards compatibility switch will be removed in some future version - probably Keycloak 23. You are encouraged to update your clients as soon as possible as described above rather than rely on this switch.
+
+= Deploying scripts through SAML javascript protocol mapper
+
+Until now, administrators, which used SAML javascript protocol mapper on their SAML clients or client scopes, were allowed to upload scripts to the server through the {project_name} Administration Console as well as
+through the RESTful Admin API.
+
+For now on, this capability is *disabled* and users should deploy scripts directly to the server. This behaviour is aligned with other script based providers. For more details,
+please take a look at link:{developerguide_jsproviders_link}[{developerguide_jsproviders_name}].