From 53735621696e2e2913a076e5d6a975fac1a09f6a Mon Sep 17 00:00:00 2001 From: Stian Thorgersen Date: Fri, 10 Jun 2016 12:52:29 +0200 Subject: [PATCH 01/32] Update topics/saml/java/general-config/idp_singlesignonservice_subelement.adoc --- .../idp_singlesignonservice_subelement.adoc | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/topics/saml/java/general-config/idp_singlesignonservice_subelement.adoc b/topics/saml/java/general-config/idp_singlesignonservice_subelement.adoc index c172bd3996..3566510450 100644 --- a/topics/saml/java/general-config/idp_singlesignonservice_subelement.adoc +++ b/topics/saml/java/general-config/idp_singlesignonservice_subelement.adoc @@ -17,23 +17,23 @@ to the IDP formatted via the settings within this element when it wants to login Here are the config attributes you can define on this element: signRequest:: - Should the client sign authn requests? This setting is _OPTIONAL._. + Should the client sign authn requests? This setting is _OPTIONAL_. Defaults to whatever the IDP `signaturesRequired` element value is. validateResponseSignature:: Should the client expect the IDP to sign the assertion response document sent back from an auhtn request? - This setting _OPTIONAL._ Defaults to whatever the IDP `signaturesRequired` element value is. + This setting _OPTIONAL_. Defaults to whatever the IDP `signaturesRequired` element value is. requestBinding:: - This is the SAML binding type used for communicating with the IDP. This setting is _OPTIONAL._. + This is the SAML binding type used for communicating with the IDP. This setting is _OPTIONAL_. The default value is `POST`, but you can set it to `REDIRECT` as well. responseBinding:: SAML allows the client to request what binding type it wants authn responses to use. - The values of this can be `POST` or `REDIRECT`. This setting is _OPTIONAL._. + The values of this can be `POST` or `REDIRECT`. This setting is _OPTIONAL_. The default is that the client will not request a specific binding type for responses. bindingUrl:: - This is the URL for the IDP login service that the client will send requests to. This setting is _REQUIRED._. + This is the URL for the IDP login service that the client will send requests to. This setting is _REQUIRED_. From daf1f02a6e17d87d2f6158c9c1e7cafdd008db7c Mon Sep 17 00:00:00 2001 From: Stian Thorgersen Date: Fri, 10 Jun 2016 12:53:23 +0200 Subject: [PATCH 02/32] Update topics/saml/java/general-config/idp_element.adoc --- topics/saml/java/general-config/idp_element.adoc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/topics/saml/java/general-config/idp_element.adoc b/topics/saml/java/general-config/idp_element.adoc index 2bbf03664c..25c54b56d1 100644 --- a/topics/saml/java/general-config/idp_element.adoc +++ b/topics/saml/java/general-config/idp_element.adoc @@ -16,7 +16,7 @@ Everything in the IDP element describes the settings for the identity provider ( Here are the attribute config options you can specify within the `IDP` element declaration. entityID:: - This is the issuer ID of the IDP. This setting is _REQUIRED._. + This is the issuer ID of the IDP. This setting is _REQUIRED_. signaturesRequired:: If set to `true`, the client adapter will sign every document it sends to the IDP. @@ -29,6 +29,6 @@ signatureAlgorithm:: This setting is _OPTIONAL_ and defaults to `RSA_SHA256`. signatureCanonicalizationMethod:: - This is the signature canonicalization method that the IDP expects signed documents to use. This setting is _OPTIONAL._. + This is the signature canonicalization method that the IDP expects signed documents to use. This setting is _OPTIONAL_. The default value is `http://www.w3.org/2001/10/xml-exc-c14n#` and should be good for most IDPs. From 06b74badde5817043ff65e3ef1737d8a603c8e9e Mon Sep 17 00:00:00 2001 From: Stian Thorgersen Date: Fri, 10 Jun 2016 12:55:05 +0200 Subject: [PATCH 03/32] Update topics/saml/java/general-config/sp-keys/keystore_element.adoc --- topics/saml/java/general-config/sp-keys/keystore_element.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/topics/saml/java/general-config/sp-keys/keystore_element.adoc b/topics/saml/java/general-config/sp-keys/keystore_element.adoc index 0569c02da5..b099c03d5f 100644 --- a/topics/saml/java/general-config/sp-keys/keystore_element.adoc +++ b/topics/saml/java/general-config/sp-keys/keystore_element.adoc @@ -28,7 +28,7 @@ resource:: This is a path used in method call to ServletContext.getResourceAsStream(). _OPTIONAL._ The file or resource attribute must be set. password:: - The password of the KeyStore _REQUIRED._ + The password of the KeyStore. This option is _REQUIRED_. If you are defining keys that the SP will use to sign document, you must also specify references to your private keys and certificates within the Java KeyStore. From cc8ea65622790577f70650a44deb2897066ac307 Mon Sep 17 00:00:00 2001 From: Stian Thorgersen Date: Fri, 10 Jun 2016 12:55:29 +0200 Subject: [PATCH 04/32] Update topics/saml/java/general-config/sp-keys/keystore_element.adoc --- topics/saml/java/general-config/sp-keys/keystore_element.adoc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/topics/saml/java/general-config/sp-keys/keystore_element.adoc b/topics/saml/java/general-config/sp-keys/keystore_element.adoc index b099c03d5f..f00f4ffd04 100644 --- a/topics/saml/java/general-config/sp-keys/keystore_element.adoc +++ b/topics/saml/java/general-config/sp-keys/keystore_element.adoc @@ -21,11 +21,11 @@ a `KeyStore` element. Here are the XML config attributes that are defined with the `KeyStore` element. file:: - File path to the key store. _OPTIONAL._ The file or resource attribute must be set. + File path to the key store. This option is _OPTIONAL_. The file or resource attribute must be set. resource:: WAR resource path to the KeyStore. - This is a path used in method call to ServletContext.getResourceAsStream(). _OPTIONAL._ The file or resource attribute must be set. + This is a path used in method call to ServletContext.getResourceAsStream(). This option is _OPTIONAL_. The file or resource attribute must be set. password:: The password of the KeyStore. This option is _REQUIRED_. From 9af76ebe016391990076d3220dc0b3dd1829e5a0 Mon Sep 17 00:00:00 2001 From: Stian Thorgersen Date: Fri, 10 Jun 2016 12:56:13 +0200 Subject: [PATCH 05/32] Update topics/saml/java/general-config/idp_singlelogoutservice_subelement.adoc --- .../idp_singlelogoutservice_subelement.adoc | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/topics/saml/java/general-config/idp_singlelogoutservice_subelement.adoc b/topics/saml/java/general-config/idp_singlelogoutservice_subelement.adoc index 90d983cca1..2123e7f17f 100644 --- a/topics/saml/java/general-config/idp_singlelogoutservice_subelement.adoc +++ b/topics/saml/java/general-config/idp_singlelogoutservice_subelement.adoc @@ -17,25 +17,25 @@ to the IDP formatted via the settings within this element when it wants to logou ---- signRequest:: - Should the client sign logout requests it makes to the IDP? This setting _OPTIONAL._. + Should the client sign logout requests it makes to the IDP? This setting _OPTIONAL_. Defaults to whatever the IDP `signaturesRequired` element value is. signResponse:: - Should the client sign logout responses it sends to the IDP requests? This setting _OPTIONAL._. + Should the client sign logout responses it sends to the IDP requests? This setting _OPTIONAL_. Defaults to whatever the IDP `signaturesRequired` element value is. validateRequestSignature:: - Should the client expect signed logout request documents from the IDP? This setting is _OPTIONAL._ Defaults to whatever the IDP `signaturesRequired` element value is. + Should the client expect signed logout request documents from the IDP? This setting is _OPTIONAL_. Defaults to whatever the IDP `signaturesRequired` element value is. validateResponseSignature:: - Should the client expect signed logout response documents from the IDP? This setting is _OPTIONAL._ Defaults to whatever the IDP `signaturesRequired` element value is. + Should the client expect signed logout response documents from the IDP? This setting is _OPTIONAL_. Defaults to whatever the IDP `signaturesRequired` element value is. requestBinding:: - This is the SAML binding type used for communicating SAML requests to the IDP. This setting is _OPTIONAL._. + This is the SAML binding type used for communicating SAML requests to the IDP. This setting is _OPTIONAL_. The default value is `POST`, but you can set it to REDIRECT as well. responseBinding:: - This is the SAML binding type used for communicating SAML responses to the IDP The values of this can be `POST` or `REDIRECT`. This setting is _OPTIONAL._. + This is the SAML binding type used for communicating SAML responses to the IDP The values of this can be `POST` or `REDIRECT`. This setting is _OPTIONAL_. The default value is `POST`, but you can set it to `REDIRECT` as well. postBindingUrl:: From 15ac03dae005824529fea7eb125b862b1f513414 Mon Sep 17 00:00:00 2001 From: Stian Thorgersen Date: Fri, 10 Jun 2016 12:56:37 +0200 Subject: [PATCH 06/32] Update topics/saml/java/general-config/idp_singlelogoutservice_subelement.adoc --- .../general-config/idp_singlelogoutservice_subelement.adoc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/topics/saml/java/general-config/idp_singlelogoutservice_subelement.adoc b/topics/saml/java/general-config/idp_singlelogoutservice_subelement.adoc index 2123e7f17f..639cc9ea15 100644 --- a/topics/saml/java/general-config/idp_singlelogoutservice_subelement.adoc +++ b/topics/saml/java/general-config/idp_singlelogoutservice_subelement.adoc @@ -17,11 +17,11 @@ to the IDP formatted via the settings within this element when it wants to logou ---- signRequest:: - Should the client sign logout requests it makes to the IDP? This setting _OPTIONAL_. + Should the client sign logout requests it makes to the IDP? This setting is _OPTIONAL_. Defaults to whatever the IDP `signaturesRequired` element value is. signResponse:: - Should the client sign logout responses it sends to the IDP requests? This setting _OPTIONAL_. + Should the client sign logout responses it sends to the IDP requests? This setting is _OPTIONAL_. Defaults to whatever the IDP `signaturesRequired` element value is. validateRequestSignature:: From ee9670b8a04aa4bf7f4db58e4934727cdae43412 Mon Sep 17 00:00:00 2001 From: Stian Thorgersen Date: Fri, 10 Jun 2016 12:57:11 +0200 Subject: [PATCH 07/32] Update topics/saml/java/general-config/idp_singlelogoutservice_subelement.adoc --- .../java/general-config/idp_singlelogoutservice_subelement.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/topics/saml/java/general-config/idp_singlelogoutservice_subelement.adoc b/topics/saml/java/general-config/idp_singlelogoutservice_subelement.adoc index 639cc9ea15..23c414c07c 100644 --- a/topics/saml/java/general-config/idp_singlelogoutservice_subelement.adoc +++ b/topics/saml/java/general-config/idp_singlelogoutservice_subelement.adoc @@ -31,7 +31,7 @@ validateResponseSignature:: Should the client expect signed logout response documents from the IDP? This setting is _OPTIONAL_. Defaults to whatever the IDP `signaturesRequired` element value is. requestBinding:: - This is the SAML binding type used for communicating SAML requests to the IDP. This setting is _OPTIONAL_. + This is the SAML binding type used for communicating SAML requests to the IDP. This setting is _OPTIONAL_. The default value is `POST`, but you can set it to REDIRECT as well. responseBinding:: From 2a236a74f577e17b571dbe6af7fd560deeb362a5 Mon Sep 17 00:00:00 2001 From: Stian Thorgersen Date: Fri, 10 Jun 2016 12:58:38 +0200 Subject: [PATCH 08/32] Update topics/saml/java/general-config/sp-keys.adoc --- topics/saml/java/general-config/sp-keys.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/topics/saml/java/general-config/sp-keys.adoc b/topics/saml/java/general-config/sp-keys.adoc index d76a1f700c..45e9c4cd16 100644 --- a/topics/saml/java/general-config/sp-keys.adoc +++ b/topics/saml/java/general-config/sp-keys.adoc @@ -7,7 +7,7 @@ For client signed documents you must define both the private and public key or c For encryption, you only have to define the private key that will be used to decrypt. There are two ways to describe your keys. -They can be stored within a Java KeyStore or you can or you can cut and paste the keys directly within `keycloak-saml.xml` in the PEM format. +They can be stored within a Java KeyStore or you can copy/paste the keys directly within `keycloak-saml.xml` in the PEM format. [source,xml] ---- From ef684d70cb89739767f608a8e650e16e74190e3a Mon Sep 17 00:00:00 2001 From: Stian Thorgersen Date: Fri, 10 Jun 2016 12:59:17 +0200 Subject: [PATCH 09/32] Update topics/saml/java/general-config/idp_singlelogoutservice_subelement.adoc --- .../general-config/idp_singlelogoutservice_subelement.adoc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/topics/saml/java/general-config/idp_singlelogoutservice_subelement.adoc b/topics/saml/java/general-config/idp_singlelogoutservice_subelement.adoc index 23c414c07c..63d1e5c00a 100644 --- a/topics/saml/java/general-config/idp_singlelogoutservice_subelement.adoc +++ b/topics/saml/java/general-config/idp_singlelogoutservice_subelement.adoc @@ -31,11 +31,11 @@ validateResponseSignature:: Should the client expect signed logout response documents from the IDP? This setting is _OPTIONAL_. Defaults to whatever the IDP `signaturesRequired` element value is. requestBinding:: - This is the SAML binding type used for communicating SAML requests to the IDP. This setting is _OPTIONAL_. + This is the SAML binding type used for communicating SAML requests to the IDP. This setting is _OPTIONAL_. The default value is `POST`, but you can set it to REDIRECT as well. responseBinding:: - This is the SAML binding type used for communicating SAML responses to the IDP The values of this can be `POST` or `REDIRECT`. This setting is _OPTIONAL_. + This is the SAML binding type used for communicating SAML responses to the IDP. The values of this can be `POST` or `REDIRECT`. This setting is _OPTIONAL_. The default value is `POST`, but you can set it to `REDIRECT` as well. postBindingUrl:: From 9c0ff6fa0fbae7b255dda881ba05ced9dfb0f3ac Mon Sep 17 00:00:00 2001 From: Stian Thorgersen Date: Fri, 10 Jun 2016 12:59:55 +0200 Subject: [PATCH 10/32] Update topics/saml/java/general-config/sp_element.adoc --- topics/saml/java/general-config/sp_element.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/topics/saml/java/general-config/sp_element.adoc b/topics/saml/java/general-config/sp_element.adoc index 8edc55405c..3637b75f1e 100644 --- a/topics/saml/java/general-config/sp_element.adoc +++ b/topics/saml/java/general-config/sp_element.adoc @@ -45,7 +45,7 @@ isPassive:: It is set to `false` by default. turnOffChangeSessionIdOnLogin:: - The session id is changed by default on a successful login on some platforms to plug a security attack vector (Tomcat 8, Jetty9, Undertow/Wildfly). + The session id is changed by default on a successful login on some platforms to plug a security attack vector. Change this to `true` if you want to turn this off. It is recommended you do not turn it off. The default value is `false`. From cc2f100cab58174f22f66c16a75c6313c955af4d Mon Sep 17 00:00:00 2001 From: Stian Thorgersen Date: Fri, 10 Jun 2016 13:01:17 +0200 Subject: [PATCH 11/32] Update topics/saml/java/general-config/sp_element.adoc --- topics/saml/java/general-config/sp_element.adoc | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/topics/saml/java/general-config/sp_element.adoc b/topics/saml/java/general-config/sp_element.adoc index 3637b75f1e..05ec4bf169 100644 --- a/topics/saml/java/general-config/sp_element.adoc +++ b/topics/saml/java/general-config/sp_element.adoc @@ -24,7 +24,7 @@ sslPolicy:: For `ALL`, all requests must come in via HTTPS. For `EXTERNAL`, only non-private IP addresses must come over the wire via HTTPS. For `NONE`, no requests are required to come over via HTTPS. - This is _OPTIONAL._ and defaults to `EXTERNAL`. + This is _OPTIONAL._. Default value is `EXTERNAL`. nameIDPolicyFormat:: SAML clients can request a specific NameID Subject format. @@ -35,17 +35,17 @@ nameIDPolicyFormat:: forceAuthentication:: SAML clients can request that a user is re-authenticated even if they are already logged in at the IDP. - Set this to `true` if you want this. This setting is _OPTIONAL._. - Set to `false` by default. + Set this to `true` if you want this. This setting is _OPTIONAL._ and defaults to `false`. + Default value is `false`. isPassive:: SAML clients can request that a user is never asked to authenticate even if they are not logged in at the IDP. Set this to `true` if you want this. Do not use together with `forceAuthentication` as they are opposite. This setting is _OPTIONAL._. - It is set to `false` by default. + Default value is `false`. turnOffChangeSessionIdOnLogin:: The session id is changed by default on a successful login on some platforms to plug a security attack vector. Change this to `true` if you want to turn this off. It is recommended you do not turn it off. - The default value is `false`. + Default value is `false`. From 5c66715669cddfa2dfc6477bb1f40e91ad324c30 Mon Sep 17 00:00:00 2001 From: Stian Thorgersen Date: Fri, 10 Jun 2016 13:02:09 +0200 Subject: [PATCH 12/32] Update topics/saml/java/general-config/sp_element.adoc --- topics/saml/java/general-config/sp_element.adoc | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/topics/saml/java/general-config/sp_element.adoc b/topics/saml/java/general-config/sp_element.adoc index 05ec4bf169..21d3f1a818 100644 --- a/topics/saml/java/general-config/sp_element.adoc +++ b/topics/saml/java/general-config/sp_element.adoc @@ -16,7 +16,7 @@ Here is the explanation of the SP element attributes ---- entityID:: This is the identifier for this client. - The IDP needs this value to determine who the client is that is communicating with it. This setting _REQUIRED._ + The IDP needs this value to determine who the client is that is communicating with it. This setting is _REQUIRED_. sslPolicy:: This is the SSL policy the adapter will enforce. @@ -24,24 +24,24 @@ sslPolicy:: For `ALL`, all requests must come in via HTTPS. For `EXTERNAL`, only non-private IP addresses must come over the wire via HTTPS. For `NONE`, no requests are required to come over via HTTPS. - This is _OPTIONAL._. Default value is `EXTERNAL`. + This settings is _OPTIONAL_. Default value is `EXTERNAL`. nameIDPolicyFormat:: SAML clients can request a specific NameID Subject format. Fill in this value if you want a specific format. It must be a standard SAML format identifier, i.e. `urn:oasis:names:tc:SAML:2.0:nameid-format:transient` - This setting is _OPTIONAL._. + This setting is _OPTIONAL_. By default, no special format is requested. forceAuthentication:: SAML clients can request that a user is re-authenticated even if they are already logged in at the IDP. - Set this to `true` if you want this. This setting is _OPTIONAL._ and defaults to `false`. + Set this to `true` if you want this. This setting is _OPTIONAL_ and defaults to `false`. Default value is `false`. isPassive:: SAML clients can request that a user is never asked to authenticate even if they are not logged in at the IDP. Set this to `true` if you want this. - Do not use together with `forceAuthentication` as they are opposite. This setting is _OPTIONAL._. + Do not use together with `forceAuthentication` as they are opposite. This setting is _OPTIONAL_. Default value is `false`. turnOffChangeSessionIdOnLogin:: From fe0fc04038c61e74a87d9f74bee8b68cb173452a Mon Sep 17 00:00:00 2001 From: Stian Thorgersen Date: Fri, 10 Jun 2016 13:03:02 +0200 Subject: [PATCH 13/32] Update topics/saml/java/general-config/sp_element.adoc --- topics/saml/java/general-config/sp_element.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/topics/saml/java/general-config/sp_element.adoc b/topics/saml/java/general-config/sp_element.adoc index 21d3f1a818..1fecaccac9 100644 --- a/topics/saml/java/general-config/sp_element.adoc +++ b/topics/saml/java/general-config/sp_element.adoc @@ -29,7 +29,7 @@ sslPolicy:: nameIDPolicyFormat:: SAML clients can request a specific NameID Subject format. Fill in this value if you want a specific format. - It must be a standard SAML format identifier, i.e. `urn:oasis:names:tc:SAML:2.0:nameid-format:transient` + It must be a standard SAML format identifier, i.e. `urn:oasis:names:tc:SAML:2.0:nameid-format:transient`. This setting is _OPTIONAL_. By default, no special format is requested. From b1583754bd778be57be7fae6dba377e6da2915fe Mon Sep 17 00:00:00 2001 From: Stian Thorgersen Date: Fri, 10 Jun 2016 13:03:30 +0200 Subject: [PATCH 14/32] Update topics/saml/java/general-config/sp_element.adoc --- topics/saml/java/general-config/sp_element.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/topics/saml/java/general-config/sp_element.adoc b/topics/saml/java/general-config/sp_element.adoc index 1fecaccac9..8ca29e0933 100644 --- a/topics/saml/java/general-config/sp_element.adoc +++ b/topics/saml/java/general-config/sp_element.adoc @@ -35,7 +35,7 @@ nameIDPolicyFormat:: forceAuthentication:: SAML clients can request that a user is re-authenticated even if they are already logged in at the IDP. - Set this to `true` if you want this. This setting is _OPTIONAL_ and defaults to `false`. + Set this to `true` to enable. This setting is _OPTIONAL_ and defaults to `false`. Default value is `false`. isPassive:: From fb84142ea369310d6ac91ebc67520c6fc033325a Mon Sep 17 00:00:00 2001 From: Stian Thorgersen Date: Fri, 10 Jun 2016 13:03:57 +0200 Subject: [PATCH 15/32] Update topics/saml/java/general-config/sp_element.adoc --- topics/saml/java/general-config/sp_element.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/topics/saml/java/general-config/sp_element.adoc b/topics/saml/java/general-config/sp_element.adoc index 8ca29e0933..52dc474350 100644 --- a/topics/saml/java/general-config/sp_element.adoc +++ b/topics/saml/java/general-config/sp_element.adoc @@ -35,7 +35,7 @@ nameIDPolicyFormat:: forceAuthentication:: SAML clients can request that a user is re-authenticated even if they are already logged in at the IDP. - Set this to `true` to enable. This setting is _OPTIONAL_ and defaults to `false`. + Set this to `true` to enable. This setting is _OPTIONAL_. Default value is `false`. isPassive:: From ef0210e757875bb4e8d456f3143d07126c3624d8 Mon Sep 17 00:00:00 2001 From: Stian Thorgersen Date: Fri, 10 Jun 2016 13:04:44 +0200 Subject: [PATCH 16/32] Update topics/saml/java/general-config/sp_element.adoc --- topics/saml/java/general-config/sp_element.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/topics/saml/java/general-config/sp_element.adoc b/topics/saml/java/general-config/sp_element.adoc index 52dc474350..03b8b69144 100644 --- a/topics/saml/java/general-config/sp_element.adoc +++ b/topics/saml/java/general-config/sp_element.adoc @@ -46,6 +46,6 @@ isPassive:: turnOffChangeSessionIdOnLogin:: The session id is changed by default on a successful login on some platforms to plug a security attack vector. - Change this to `true` if you want to turn this off. It is recommended you do not turn it off. + Change this to `true` to disable this. It is recommended you do not turn it off. Default value is `false`. From 363ff676e3948379fb39df5d4334b4eefe14d709 Mon Sep 17 00:00:00 2001 From: Stian Thorgersen Date: Fri, 10 Jun 2016 13:05:56 +0200 Subject: [PATCH 17/32] Update topics/saml/java/jboss-adapter.adoc --- topics/saml/java/jboss-adapter.adoc | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/topics/saml/java/jboss-adapter.adoc b/topics/saml/java/jboss-adapter.adoc index 56460177d2..5dfda7a9f8 100644 --- a/topics/saml/java/jboss-adapter.adoc +++ b/topics/saml/java/jboss-adapter.adoc @@ -1,6 +1,11 @@ [[_saml-jboss-adapter]] -==== JBoss/Wildfly Adapter +{% if book.community %} +==== JBoss EAP/Wildfly Adapter +{% endif %} +{% if book.product %} +==== JBoss EAP Adapter +{% endif %} To be able to secure WAR apps deployed on JBoss EAP 6.x or Wildfly, you must install and configure the {{book.project.name}} SAML Adapter Subsystem. You then provide a keycloak config, `/WEB-INF/keycloak-saml.xml` file in your WAR and change the auth-method to KEYCLOAK-SAML within web.xml. From 18ef9c69b533aa62ff12bf4008cb5c298e3f62f0 Mon Sep 17 00:00:00 2001 From: Stian Thorgersen Date: Fri, 10 Jun 2016 13:08:00 +0200 Subject: [PATCH 18/32] Update topics/saml/java/jboss-adapter.adoc --- topics/saml/java/jboss-adapter.adoc | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/topics/saml/java/jboss-adapter.adoc b/topics/saml/java/jboss-adapter.adoc index 5dfda7a9f8..9091c41bf6 100644 --- a/topics/saml/java/jboss-adapter.adoc +++ b/topics/saml/java/jboss-adapter.adoc @@ -7,7 +7,13 @@ ==== JBoss EAP Adapter {% endif %} -To be able to secure WAR apps deployed on JBoss EAP 6.x or Wildfly, you must install and configure the {{book.project.name}} SAML Adapter Subsystem. +{% if book.community %} +To be able to secure WAR apps deployed on JBoss EAP or Wildfly, you must install and configure the {{book.project.name}} SAML Adapter Subsystem. +{% endif %} +{% if book.product %} +To be able to secure WAR apps deployed on JBoss EAP, you must install and configure the {{book.project.name}} SAML Adapter Subsystem. +{% endif %} + You then provide a keycloak config, `/WEB-INF/keycloak-saml.xml` file in your WAR and change the auth-method to KEYCLOAK-SAML within web.xml. Both methods are described in this section. From 805a74aaabed3c63471a2cc02fba6988edfa053c Mon Sep 17 00:00:00 2001 From: Stian Thorgersen Date: Fri, 10 Jun 2016 13:08:48 +0200 Subject: [PATCH 19/32] Update topics/saml/java/jboss-adapter/required_per_war_configuration.adoc --- .../saml/java/jboss-adapter/required_per_war_configuration.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/topics/saml/java/jboss-adapter/required_per_war_configuration.adoc b/topics/saml/java/jboss-adapter/required_per_war_configuration.adoc index 47276e2598..928d10ccc5 100644 --- a/topics/saml/java/jboss-adapter/required_per_war_configuration.adoc +++ b/topics/saml/java/jboss-adapter/required_per_war_configuration.adoc @@ -4,7 +4,7 @@ This section describes how to secure a WAR directly by adding config and editing files within your WAR package. The first thing you must do is create a `keycloak-saml.xml` adapter config file within the `WEB-INF` directory of your WAR. -The format of this config file is describe in the <> section. +The format of this config file is described in the <> section. Next you must set the `auth-method` to `KEYCLOAK-SAML` in `web.xml`. You also have to use standard servlet security to specify role-base constraints on your URLs. From b31a14bc3d3cc09557702bb107f423065da41766 Mon Sep 17 00:00:00 2001 From: Stian Thorgersen Date: Fri, 10 Jun 2016 13:11:17 +0200 Subject: [PATCH 20/32] Update topics/oidc/oidc-generic.adoc --- topics/oidc/oidc-generic.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/topics/oidc/oidc-generic.adoc b/topics/oidc/oidc-generic.adoc index d4c589bb22..45f5e37bf9 100644 --- a/topics/oidc/oidc-generic.adoc +++ b/topics/oidc/oidc-generic.adoc @@ -133,7 +133,7 @@ There are a number of limitations of using this flow, including: * No support for identity brokering or social login * Flows are not supported (user self-registration, required actions, etc.) -For a client to be permitted to use the Resource Owner Password Credentials grant the client has to have `Direct Access Grants Enabled` enabled. +For a client to be permitted to use the Resource Owner Password Credentials grant the client has to have the `Direct Access Grants Enabled` option enabled. This flow is not included in OpenID Connect, but is a part of the OAuth 2.0 specification. From 5ffda764609dec6a94ee4a01cc83f4bc821c47b8 Mon Sep 17 00:00:00 2001 From: Stian Thorgersen Date: Fri, 10 Jun 2016 13:12:09 +0200 Subject: [PATCH 21/32] Update topics/oidc/oidc-generic.adoc --- topics/oidc/oidc-generic.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/topics/oidc/oidc-generic.adoc b/topics/oidc/oidc-generic.adoc index 45f5e37bf9..0413d70d07 100644 --- a/topics/oidc/oidc-generic.adoc +++ b/topics/oidc/oidc-generic.adoc @@ -95,7 +95,7 @@ https://openid.net/specs/openid-connect-registration-1_0.html[OpenID Connect Dyn ===== Authorization Code The Authorization Code flow redirects the user agent to {{book.project.name}}. Once the user has successfully authenticated with {{book.project.name}} an -Authorization Code is created and the user agent is redirected back to the application. The application then uses the authorization code to along with its +Authorization Code is created and the user agent is redirected back to the application. The application then uses the authorization code along with its credentials to obtain an Access Roken, Refresh Token and ID Token from {{book.project.name}}. The flow is targeted towards web applications, but is also recommended for native applications, including mobile applications, where it is possible to embed From 9dab95a807802b913418da287de8491d138abcdb Mon Sep 17 00:00:00 2001 From: Stian Thorgersen Date: Fri, 10 Jun 2016 13:12:37 +0200 Subject: [PATCH 22/32] Update topics/oidc/oidc-generic.adoc --- topics/oidc/oidc-generic.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/topics/oidc/oidc-generic.adoc b/topics/oidc/oidc-generic.adoc index 0413d70d07..212baec505 100644 --- a/topics/oidc/oidc-generic.adoc +++ b/topics/oidc/oidc-generic.adoc @@ -96,7 +96,7 @@ https://openid.net/specs/openid-connect-registration-1_0.html[OpenID Connect Dyn The Authorization Code flow redirects the user agent to {{book.project.name}}. Once the user has successfully authenticated with {{book.project.name}} an Authorization Code is created and the user agent is redirected back to the application. The application then uses the authorization code along with its -credentials to obtain an Access Roken, Refresh Token and ID Token from {{book.project.name}}. +credentials to obtain an Access Token, Refresh Token and ID Token from {{book.project.name}}. The flow is targeted towards web applications, but is also recommended for native applications, including mobile applications, where it is possible to embed a user agent. From 41c2b0608ab17d829ab5163f5198f6f64cd8d9ec Mon Sep 17 00:00:00 2001 From: Stian Thorgersen Date: Fri, 10 Jun 2016 13:13:56 +0200 Subject: [PATCH 23/32] Update topics/oidc/oidc-generic.adoc --- topics/oidc/oidc-generic.adoc | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/topics/oidc/oidc-generic.adoc b/topics/oidc/oidc-generic.adoc index 212baec505..f79ed88de1 100644 --- a/topics/oidc/oidc-generic.adoc +++ b/topics/oidc/oidc-generic.adoc @@ -11,10 +11,10 @@ The most important endpoint to know is the `well-known` configuration endpoint. Connect implementation in {{book.project.name}}. The endpoint is: .... -/realms/REALM-NAME/.well-known/openid-configuration +/realms/{realm-name}/.well-known/openid-configuration .... -To get the full URL add the base URL for {{book.project.name}} and replace `REALM-NAME` with the name of your realm. For example: +To get the full URL add the base URL for {{book.project.name}} and replace `{realm-name}` with the name of your realm. For example: $$http://localhost:8080/auth/realms/master/.well-known/openid-configuration$$ @@ -22,7 +22,7 @@ Some RP libraries will retrieve all required endpoints from this endpoint, but f ===== Authorization Endpoint .... -/realms/master/protocol/openid-connect/auth +/realms/{realm-name}/protocol/openid-connect/auth .... Performs authentication of the end-user. This is done by redirecting user agent to this endpoint. @@ -31,7 +31,7 @@ For more details see http://openid.net/specs/openid-connect-core-1_0.html#Author ===== Token Endpoint .... -/realms/master/protocol/openid-connect/token +/realms/{realm-name}/protocol/openid-connect/token .... Used to obtain tokens. Tokens can either be obtained by exchanging an authorization code or by supplying credentials directly depending on what flow is used. @@ -41,7 +41,7 @@ For more details see http://openid.net/specs/openid-connect-core-1_0.html#TokenE ===== Userinfo Endpoint .... -/realms/master/protocol/openid-connect/userinfo +/realms/{realm-name}/protocol/openid-connect/userinfo .... Returns standard claims about the authenticated user. Protected by a bearer token. @@ -50,7 +50,7 @@ For more details see http://openid.net/specs/openid-connect-core-1_0.html#UserIn ===== Logout Endpoint .... -/realms/master/protocol/openid-connect/logout +/realms/{realm-name}/protocol/openid-connect/logout .... Logs out the authenticated user. @@ -62,7 +62,7 @@ required to authenticate the client. ===== Certificate Endpoint .... -/realms/master/protocol/openid-connect/certs +/realms/{realm-name}/protocol/openid-connect/certs .... Public key used by realm encoded as a JSON Web Key (JWK). This key can be used to verify tokens issued by {{book.project.name}} without making invocations to @@ -72,7 +72,7 @@ For more details see https://tools.ietf.org/html/rfc7517[JSON Web Key specificat ===== Introspection Endpoint .... -/realms/master/protocol/openid-connect/token/introspect +/realms/{realm-name}/protocol/openid-connect/token/introspect .... Used to retrieve the active state of a token. Protected by a bearer token and can only be invoked by confidential clients. @@ -81,7 +81,7 @@ For more details see https://tools.ietf.org/html/rfc7662[OAuth 2.0 Token Introsp ===== Dynamic Client Registration Endpoint .... -/realms/master/clients-registrations/openid-connect +/realms/{realm-name}/clients-registrations/openid-connect .... Used to dynamically register clients. From b6cbb82bda24c624b642aa6c9a2f013eb62cdd8f Mon Sep 17 00:00:00 2001 From: Stian Thorgersen Date: Fri, 10 Jun 2016 13:16:22 +0200 Subject: [PATCH 24/32] Update topics/oidc/javascript-adapter.adoc --- topics/oidc/javascript-adapter.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) mode change 100755 => 100644 topics/oidc/javascript-adapter.adoc diff --git a/topics/oidc/javascript-adapter.adoc b/topics/oidc/javascript-adapter.adoc old mode 100755 new mode 100644 index cd8665d6aa..77d30725cf --- a/topics/oidc/javascript-adapter.adoc +++ b/topics/oidc/javascript-adapter.adoc @@ -368,4 +368,4 @@ The available events are: * onAuthRefreshSuccess - Called when the token is refreshed. * onAuthRefreshError - Called if there was an error while trying to refresh the token. * onAuthLogout - Called if the user is logged out (will only be called if the session status iframe is enabled, or in Cordova mode). -* onTokenExpired - Called when access token expired. When this happens you can for example refresh token, or if refresh not available (ie. with implicit flow) you can redirect to login screen. +* onTokenExpired - Called when the access token is expired. When this happens you can for refresh the token, or if refresh is not available (ie. with implicit flow) you can redirect to login screen. From 3e756875b2253e99856505b08f858e368be82d7e Mon Sep 17 00:00:00 2001 From: Stian Thorgersen Date: Fri, 10 Jun 2016 13:17:42 +0200 Subject: [PATCH 25/32] Update topics/oidc/javascript-adapter.adoc --- topics/oidc/javascript-adapter.adoc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/topics/oidc/javascript-adapter.adoc b/topics/oidc/javascript-adapter.adoc index 77d30725cf..7c064c69b5 100644 --- a/topics/oidc/javascript-adapter.adoc +++ b/topics/oidc/javascript-adapter.adoc @@ -288,13 +288,13 @@ Options is an Object, where: Redirects to registration form. Shortcut for login with option action = 'register' -Options are same as login method but 'action' is set to 'register' +Options are same as for the login method but 'action' is set to 'register' ====== createRegisterUrl(options) Returns the url to registration page. Shortcut for createLoginUrl with option action = 'register' -Options are same as createLoginUrl method but 'action' is set to 'register' +Options are same as for the createLoginUrl method but 'action' is set to 'register' ====== accountManagement() From a36788f62fe2b67ad483e82a51aa70704c3f3241 Mon Sep 17 00:00:00 2001 From: Stian Thorgersen Date: Fri, 10 Jun 2016 13:19:59 +0200 Subject: [PATCH 26/32] Update topics/oidc/javascript-adapter.adoc --- topics/oidc/javascript-adapter.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/topics/oidc/javascript-adapter.adoc b/topics/oidc/javascript-adapter.adoc index 7c064c69b5..77b60bd57a 100644 --- a/topics/oidc/javascript-adapter.adoc +++ b/topics/oidc/javascript-adapter.adoc @@ -254,7 +254,7 @@ Redirects to login form on (options is an optional object with redirectUri and/o Options is an Object, where: * redirectUri - Specifies the uri to redirect to after login. -* prompt - Can be set to 'none' to check if the user is logged in already (if not logged in, a login form is not displayed). +* prompt - By default the login screen is displayed if the user is not logged-in to {{book.project.name}}. To only authenticate to the application if the user is already logged-in and not display the login page if the user is not logged-in, set this option to `none`. * loginHint - Used to pre-fill the username/email field on the login form. * action - If value is 'register' then user is redirected to registration page, otherwise to login page. * locale - Specifies the desired locale for the UI. From 56f922687559a4aae75d536d72b92d3fb4a1fd20 Mon Sep 17 00:00:00 2001 From: Stian Thorgersen Date: Fri, 10 Jun 2016 13:20:50 +0200 Subject: [PATCH 27/32] Update SUMMARY.adoc --- SUMMARY.adoc | 143 ++++++++++++++++++++++++--------------------------- 1 file changed, 66 insertions(+), 77 deletions(-) mode change 100755 => 100644 SUMMARY.adoc diff --git a/SUMMARY.adoc b/SUMMARY.adoc old mode 100755 new mode 100644 index f5ed52c0e0..feb133dbf3 --- a/SUMMARY.adoc +++ b/SUMMARY.adoc @@ -1,79 +1,68 @@ -= {{book.title}} += Summary - . link:topics/overview/overview.adoc[Overview] - .. link:topics/overview/what-are-client-adapters.adoc[What are Client Adapters?] - .. link:topics/overview/supported-platforms.adoc[Supported Platforms] - .. link:topics/overview/supported-protocols.adoc[Supported Protocols] +. link:README.adoc[Introduction] +. link:topics/overview/overview.adoc[Overview] +.. link:topics/overview/what-are-client-adapters.adoc[What are Client Adapters?] +.. link:topics/overview/supported-platforms.adoc[Supported Platforms] +.. link:topics/overview/supported-protocols.adoc[Supported Protocols] +. link:topics/oidc/oidc-overview.adoc[OpenID Connect] +.. link:topics/oidc/java/java-adapters.adoc[Java Adapters] +... link:topics/oidc/java/java-adapter-config.adoc[Java Adapters Config] +... link:topics/oidc/java/jboss-adapter.adoc[JBoss EAP/Wildfly Adapter] +... link:topics/oidc/java/fuse-adapter.adoc[JBoss Fuse Adapter] +.... link:topics/oidc/java/fuse/classic-war.adoc[Classic WAR application] +.... link:topics/oidc/java/fuse/servlet-whiteboard.adoc[Servlet Deployed as OSGI Service] +.... link:topics/oidc/java/fuse/camel.adoc[Apache Camel] +.... link:topics/oidc/java/fuse/cxf-separate.adoc[Apache CXF on Separate Jetty] +.... link:topics/oidc/java/fuse/cxf-builtin.adoc[Apache CXF on default Jetty] +.... link:topics/oidc/java/fuse/fuse-admin.adoc[Fuse Admin Services] +... link:topics/oidc/java/tomcat-adapter.adoc[Tomcat 6, 7 and 8 Adapters] +... link:topics/oidc/java/jetty9-adapter.adoc[Jetty 9.x Adapters] +... link:topics/oidc/java/jetty8-adapter.adoc[Jetty 8.1.x Adapter] +... link:topics/oidc/java/spring-boot-adapter.adoc[Spring Boot Adapter] +... link:topics/oidc/java/spring-security-adapter.adoc[Spring Security Adapter] +... link:topics/oidc/java/servlet-filter-adapter.adoc[Java Servlet Filter Adapter] +... link:topics/oidc/java/jaas.adoc[JAAS plugin] +... link:topics/oidc/java/adapter-context.adoc[Security Context] +... link:topics/oidc/java/adapter_error_handling.adoc[Error Handling] +... link:topics/oidc/java/logout.adoc[Logout] +... link:topics/oidc/java/multi-tenancy.adoc[Multi Tenancy] +... link:topics/oidc/java/application-clustering.adoc[Application Clustering] +.. link:topics/oidc/javascript-adapter.adoc[JavaScript Adapter] +.. link:topics/oidc/oidc-generic.adoc[Other OpenID Connect libraries] +... link:topics/oidc/mod-auth-openidc.adoc[mod_auth_oidc Apache HTTPD Module] +. link:topics/saml/saml-overview.adoc[SAML] +.. link:topics/saml/java/java-adapters.adoc[Java Adapters] +... link:topics/saml/java/general-config.adoc[General Adapter Config] +.... link:topics/saml/java/general-config/sp_element.adoc[SP Element] +.... link:topics/saml/java/general-config/sp-keys.adoc[SP Keys and Key elements] +..... link:topics/saml/java/general-config/sp-keys/keystore_element.adoc[KeyStore Element] +..... link:topics/saml/java/general-config/sp-keys/key_pems.adoc[Key PEMS] +.... link:topics/saml/java/general-config/sp_principalname_mapping_element.adoc[SP PrincipalNameMapping element] +.... link:topics/saml/java/general-config/roleidentifiers_element.adoc[RoleIdentifiers element] +.... link:topics/saml/java/general-config/idp_element.adoc[IDP Element] +.... link:topics/saml/java/general-config/idp_singlesignonservice_subelement.adoc[IDP SingleSignOnService sub element] +.... link:topics/saml/java/general-config/idp_singlelogoutservice_subelement.adoc[IDP SingleLogoutService sub element] +.... link:topics/saml/java/general-config/idp_keys_subelement.adoc[IDP Keys subelement] +... link:topics/saml/java/jboss-adapter.adoc[JBoss EAP/Wildfly Adapter] +.... link:topics/saml/java/jboss-adapter/jboss_adapter_installation.adoc[Adapter Installation] +.... link:topics/saml/java/jboss-adapter/required_per_war_configuration.adoc[Per WAR Configuration] +.... link:topics/saml/java/jboss-adapter/securing_wars.adoc[Securing WARs via SAML Subsystem] +... link:topics/saml/java/tomcat-adapter.adoc[Tomcat SAML adapters] +.... link:topics/saml/java/tomcat-adapter/tomcat_adapter_installation.adoc[Adapter Installation] +.... link:topics/saml/java/tomcat-adapter/tomcat_adapter_per_war_config.adoc[Per WAR Configuration] +... link:topics/saml/java/jetty-adapter.adoc[Jetty SAML Adapters] +.... link:topics/saml/java/jetty-adapter/jetty9_installation.adoc[Jetty 9 Adapter Installation] +.... link:topics/saml/java/jetty-adapter/jetty9_per_war_config.adoc[Jetty 9 Per WAR Configuration] +.... link:topics/saml/java/jetty-adapter/jetty8-installation.adoc[Jetty 8 Adapter Installation] +.... link:topics/saml/java/jetty-adapter/jetty8-per_war_config.adoc[Jetty 8 Per WAR Configuration] +... link:topics/saml/java/servlet-filter-adapter.adoc[Java Servlet Filter Adapter] +... link:topics/saml/java/idp-registration.adoc[Registering with an IDP] +... link:topics/saml/java/logout.adoc[Logout] +... link:topics/saml/java/assertion-api.adoc[Obtaining Assertion Attributes] +... link:topics/saml/java/error_handling.adoc[Error Handling] +... link:topics/saml/java/debugging.adoc[Troubleshooting] +... link:topics/saml/java/MigrationFromOlderVersions.adoc[Migration from older versions] +.. link:topics/saml/mod-auth-mellon.adoc[mod_auth_mellon Apache HTTPD Module] +. link:topics/client-registration.adoc[Client Registration] - . link:topics/oidc/oidc-overview.adoc[OpenID Connect] - - .. link:topics/oidc/java/java-adapters.adoc[Java Adapters] - ... link:topics/oidc/java/java-adapter-config.adoc[Java Adapters Config] - ... link:topics/oidc/java/jboss-adapter.adoc[JBoss EAP/Wildfly Adapter] - ... link:topics/oidc/java/fuse-adapter.adoc[JBoss Fuse Adapter] - .... link:topics/oidc/java/fuse/classic-war.adoc[Classic WAR application] - .... link:topics/oidc/java/fuse/servlet-whiteboard.adoc[Servlet Deployed as OSGI Service] - .... link:topics/oidc/java/fuse/camel.adoc[Apache Camel] - .... link:topics/oidc/java/fuse/cxf-separate.adoc[Apache CXF on Separate Jetty] - .... link:topics/oidc/java/fuse/cxf-builtin.adoc[Apache CXF on default Jetty] - .... link:topics/oidc/java/fuse/fuse-admin.adoc[Fuse Admin Services] - {% if book.community %} - ... link:topics/oidc/java/tomcat-adapter.adoc[Tomcat 6, 7 and 8 Adapters] - ... link:topics/oidc/java/jetty9-adapter.adoc[Jetty 9.x Adapters] - ... link:topics/oidc/java/jetty8-adapter.adoc[Jetty 8.1.x Adapter] - ... link:topics/oidc/java/spring-boot-adapter.adoc[Spring Boot Adapter] - ... link:topics/oidc/java/spring-security-adapter.adoc[Spring Security Adapter] - {% endif %} - ... link:topics/oidc/java/servlet-filter-adapter.adoc[Java Servlet Filter Adapter] - ... link:topics/oidc/java/jaas.adoc[JAAS plugin] - ... link:topics/oidc/java/adapter-context.adoc[Security Context] - ... link:topics/oidc/java/adapter_error_handling.adoc[Error Handling] - ... link:topics/oidc/java/logout.adoc[Logout] - ... link:topics/oidc/java/multi-tenancy.adoc[Multi Tenancy] - ... link:topics/oidc/java/application-clustering.adoc[Application Clustering] - - .. link:topics/oidc/javascript-adapter.adoc[JavaScript Adapter] - - .. link:topics/oidc/oidc-generic.adoc[Other OpenID Connect libraries] - {% if book.community %} - ... link:topics/oidc/mod-auth-openidc.adoc[mod_auth_oidc Apache HTTPD Module] - {% endif %} - - . link:topics/saml/saml-overview.adoc[SAML] - .. link:topics/saml/java/java-adapters.adoc[Java Adapters] - ... link:topics/saml/java/general-config.adoc[General Adapter Config] - .... link:topics/saml/java/general-config/sp_element.adoc[SP Element] - .... link:topics/saml/java/general-config/sp-keys.adoc[SP Keys and Key elements] - ..... link:topics/saml/java/general-config/sp-keys/keystore_element.adoc[KeyStore Element] - ..... link:topics/saml/java/general-config/sp-keys/key_pems.adoc[Key PEMS] - .... link:topics/saml/java/general-config/sp_principalname_mapping_element.adoc[SP PrincipalNameMapping element] - .... link:topics/saml/java/general-config/roleidentifiers_element.adoc[RoleIdentifiers element] - .... link:topics/saml/java/general-config/idp_element.adoc[IDP Element] - .... link:topics/saml/java/general-config/idp_singlesignonservice_subelement.adoc[IDP SingleSignOnService sub element] - .... link:topics/saml/java/general-config/idp_singlelogoutservice_subelement.adoc[IDP SingleLogoutService sub element] - .... link:topics/saml/java/general-config/idp_keys_subelement.adoc[IDP Keys subelement] - ... link:topics/saml/java/jboss-adapter.adoc[JBoss EAP/Wildfly Adapter] - .... link:topics/saml/java/jboss-adapter/jboss_adapter_installation.adoc[Adapter Installation] - .... link:topics/saml/java/jboss-adapter/required_per_war_configuration.adoc[Per WAR Configuration] - .... link:topics/saml/java/jboss-adapter/securing_wars.adoc[Securing WARs via SAML Subsystem] - {% if book.community %} - ... link:topics/saml/java/tomcat-adapter.adoc[Tomcat SAML adapters] - .... link:topics/saml/java/tomcat-adapter/tomcat_adapter_installation.adoc[Adapter Installation] - .... link:topics/saml/java/tomcat-adapter/tomcat_adapter_per_war_config.adoc[Per WAR Configuration] - ... link:topics/saml/java/jetty-adapter.adoc[Jetty SAML Adapters] - .... link:topics/saml/java/jetty-adapter/jetty9_installation.adoc[Jetty 9 Adapter Installation] - .... link:topics/saml/java/jetty-adapter/jetty9_per_war_config.adoc[Jetty 9 Per WAR Configuration] - .... link:topics/saml/java/jetty-adapter/jetty8-installation.adoc[Jetty 8 Adapter Installation] - .... link:topics/saml/java/jetty-adapter/jetty8-per_war_config.adoc[Jetty 8 Per WAR Configuration] - {% endif %} - ... link:topics/saml/java/servlet-filter-adapter.adoc[Java Servlet Filter Adapter] - ... link:topics/saml/java/idp-registration.adoc[Registering with an IDP] - ... link:topics/saml/java/logout.adoc[Logout] - ... link:topics/saml/java/assertion-api.adoc[Obtaining Assertion Attributes] - ... link:topics/saml/java/error_handling.adoc[Error Handling] - ... link:topics/saml/java/debugging.adoc[Troubleshooting] - {% if book.community %} - ... link:topics/saml/java/MigrationFromOlderVersions.adoc[Migration from older versions] - {% endif %} - .. link:topics/saml/mod-auth-mellon.adoc[mod_auth_mellon Apache HTTPD Module] - . link:topics/client-registration.adoc[Client Registration] \ No newline at end of file From be8a9a63d87b82ac76602fe7342e7263b1514461 Mon Sep 17 00:00:00 2001 From: Stian Thorgersen Date: Fri, 10 Jun 2016 13:21:43 +0200 Subject: [PATCH 28/32] Update topics/saml/java/idp-registration.adoc --- topics/saml/java/idp-registration.adoc | 1 + 1 file changed, 1 insertion(+) diff --git a/topics/saml/java/idp-registration.adoc b/topics/saml/java/idp-registration.adoc index 2d59109c9b..285971e51f 100644 --- a/topics/saml/java/idp-registration.adoc +++ b/topics/saml/java/idp-registration.adoc @@ -3,3 +3,4 @@ For each servlet based adapter, the endpoint you register for the assert consumer service url and and single logout service must be the base url of your servlet application with `/saml` appended to it i.e. `$$https://example.com/contextPath/saml$$` + From 2e607e4ffad10f32644c9ca7f21e77310c7ef0c3 Mon Sep 17 00:00:00 2001 From: Stian Thorgersen Date: Fri, 10 Jun 2016 13:22:50 +0200 Subject: [PATCH 29/32] Fix mistake to SUMMARY --- SUMMARY.adoc | 143 +++++++++++++++++++++++++++------------------------ 1 file changed, 77 insertions(+), 66 deletions(-) diff --git a/SUMMARY.adoc b/SUMMARY.adoc index feb133dbf3..f5ed52c0e0 100644 --- a/SUMMARY.adoc +++ b/SUMMARY.adoc @@ -1,68 +1,79 @@ -= Summary += {{book.title}} -. link:README.adoc[Introduction] -. link:topics/overview/overview.adoc[Overview] -.. link:topics/overview/what-are-client-adapters.adoc[What are Client Adapters?] -.. link:topics/overview/supported-platforms.adoc[Supported Platforms] -.. link:topics/overview/supported-protocols.adoc[Supported Protocols] -. link:topics/oidc/oidc-overview.adoc[OpenID Connect] -.. link:topics/oidc/java/java-adapters.adoc[Java Adapters] -... link:topics/oidc/java/java-adapter-config.adoc[Java Adapters Config] -... link:topics/oidc/java/jboss-adapter.adoc[JBoss EAP/Wildfly Adapter] -... link:topics/oidc/java/fuse-adapter.adoc[JBoss Fuse Adapter] -.... link:topics/oidc/java/fuse/classic-war.adoc[Classic WAR application] -.... link:topics/oidc/java/fuse/servlet-whiteboard.adoc[Servlet Deployed as OSGI Service] -.... link:topics/oidc/java/fuse/camel.adoc[Apache Camel] -.... link:topics/oidc/java/fuse/cxf-separate.adoc[Apache CXF on Separate Jetty] -.... link:topics/oidc/java/fuse/cxf-builtin.adoc[Apache CXF on default Jetty] -.... link:topics/oidc/java/fuse/fuse-admin.adoc[Fuse Admin Services] -... link:topics/oidc/java/tomcat-adapter.adoc[Tomcat 6, 7 and 8 Adapters] -... link:topics/oidc/java/jetty9-adapter.adoc[Jetty 9.x Adapters] -... link:topics/oidc/java/jetty8-adapter.adoc[Jetty 8.1.x Adapter] -... link:topics/oidc/java/spring-boot-adapter.adoc[Spring Boot Adapter] -... link:topics/oidc/java/spring-security-adapter.adoc[Spring Security Adapter] -... link:topics/oidc/java/servlet-filter-adapter.adoc[Java Servlet Filter Adapter] -... link:topics/oidc/java/jaas.adoc[JAAS plugin] -... link:topics/oidc/java/adapter-context.adoc[Security Context] -... link:topics/oidc/java/adapter_error_handling.adoc[Error Handling] -... link:topics/oidc/java/logout.adoc[Logout] -... link:topics/oidc/java/multi-tenancy.adoc[Multi Tenancy] -... link:topics/oidc/java/application-clustering.adoc[Application Clustering] -.. link:topics/oidc/javascript-adapter.adoc[JavaScript Adapter] -.. link:topics/oidc/oidc-generic.adoc[Other OpenID Connect libraries] -... link:topics/oidc/mod-auth-openidc.adoc[mod_auth_oidc Apache HTTPD Module] -. link:topics/saml/saml-overview.adoc[SAML] -.. link:topics/saml/java/java-adapters.adoc[Java Adapters] -... link:topics/saml/java/general-config.adoc[General Adapter Config] -.... link:topics/saml/java/general-config/sp_element.adoc[SP Element] -.... link:topics/saml/java/general-config/sp-keys.adoc[SP Keys and Key elements] -..... link:topics/saml/java/general-config/sp-keys/keystore_element.adoc[KeyStore Element] -..... link:topics/saml/java/general-config/sp-keys/key_pems.adoc[Key PEMS] -.... link:topics/saml/java/general-config/sp_principalname_mapping_element.adoc[SP PrincipalNameMapping element] -.... link:topics/saml/java/general-config/roleidentifiers_element.adoc[RoleIdentifiers element] -.... link:topics/saml/java/general-config/idp_element.adoc[IDP Element] -.... link:topics/saml/java/general-config/idp_singlesignonservice_subelement.adoc[IDP SingleSignOnService sub element] -.... link:topics/saml/java/general-config/idp_singlelogoutservice_subelement.adoc[IDP SingleLogoutService sub element] -.... link:topics/saml/java/general-config/idp_keys_subelement.adoc[IDP Keys subelement] -... link:topics/saml/java/jboss-adapter.adoc[JBoss EAP/Wildfly Adapter] -.... link:topics/saml/java/jboss-adapter/jboss_adapter_installation.adoc[Adapter Installation] -.... link:topics/saml/java/jboss-adapter/required_per_war_configuration.adoc[Per WAR Configuration] -.... link:topics/saml/java/jboss-adapter/securing_wars.adoc[Securing WARs via SAML Subsystem] -... link:topics/saml/java/tomcat-adapter.adoc[Tomcat SAML adapters] -.... link:topics/saml/java/tomcat-adapter/tomcat_adapter_installation.adoc[Adapter Installation] -.... link:topics/saml/java/tomcat-adapter/tomcat_adapter_per_war_config.adoc[Per WAR Configuration] -... link:topics/saml/java/jetty-adapter.adoc[Jetty SAML Adapters] -.... link:topics/saml/java/jetty-adapter/jetty9_installation.adoc[Jetty 9 Adapter Installation] -.... link:topics/saml/java/jetty-adapter/jetty9_per_war_config.adoc[Jetty 9 Per WAR Configuration] -.... link:topics/saml/java/jetty-adapter/jetty8-installation.adoc[Jetty 8 Adapter Installation] -.... link:topics/saml/java/jetty-adapter/jetty8-per_war_config.adoc[Jetty 8 Per WAR Configuration] -... link:topics/saml/java/servlet-filter-adapter.adoc[Java Servlet Filter Adapter] -... link:topics/saml/java/idp-registration.adoc[Registering with an IDP] -... link:topics/saml/java/logout.adoc[Logout] -... link:topics/saml/java/assertion-api.adoc[Obtaining Assertion Attributes] -... link:topics/saml/java/error_handling.adoc[Error Handling] -... link:topics/saml/java/debugging.adoc[Troubleshooting] -... link:topics/saml/java/MigrationFromOlderVersions.adoc[Migration from older versions] -.. link:topics/saml/mod-auth-mellon.adoc[mod_auth_mellon Apache HTTPD Module] -. link:topics/client-registration.adoc[Client Registration] + . link:topics/overview/overview.adoc[Overview] + .. link:topics/overview/what-are-client-adapters.adoc[What are Client Adapters?] + .. link:topics/overview/supported-platforms.adoc[Supported Platforms] + .. link:topics/overview/supported-protocols.adoc[Supported Protocols] + . link:topics/oidc/oidc-overview.adoc[OpenID Connect] + + .. link:topics/oidc/java/java-adapters.adoc[Java Adapters] + ... link:topics/oidc/java/java-adapter-config.adoc[Java Adapters Config] + ... link:topics/oidc/java/jboss-adapter.adoc[JBoss EAP/Wildfly Adapter] + ... link:topics/oidc/java/fuse-adapter.adoc[JBoss Fuse Adapter] + .... link:topics/oidc/java/fuse/classic-war.adoc[Classic WAR application] + .... link:topics/oidc/java/fuse/servlet-whiteboard.adoc[Servlet Deployed as OSGI Service] + .... link:topics/oidc/java/fuse/camel.adoc[Apache Camel] + .... link:topics/oidc/java/fuse/cxf-separate.adoc[Apache CXF on Separate Jetty] + .... link:topics/oidc/java/fuse/cxf-builtin.adoc[Apache CXF on default Jetty] + .... link:topics/oidc/java/fuse/fuse-admin.adoc[Fuse Admin Services] + {% if book.community %} + ... link:topics/oidc/java/tomcat-adapter.adoc[Tomcat 6, 7 and 8 Adapters] + ... link:topics/oidc/java/jetty9-adapter.adoc[Jetty 9.x Adapters] + ... link:topics/oidc/java/jetty8-adapter.adoc[Jetty 8.1.x Adapter] + ... link:topics/oidc/java/spring-boot-adapter.adoc[Spring Boot Adapter] + ... link:topics/oidc/java/spring-security-adapter.adoc[Spring Security Adapter] + {% endif %} + ... link:topics/oidc/java/servlet-filter-adapter.adoc[Java Servlet Filter Adapter] + ... link:topics/oidc/java/jaas.adoc[JAAS plugin] + ... link:topics/oidc/java/adapter-context.adoc[Security Context] + ... link:topics/oidc/java/adapter_error_handling.adoc[Error Handling] + ... link:topics/oidc/java/logout.adoc[Logout] + ... link:topics/oidc/java/multi-tenancy.adoc[Multi Tenancy] + ... link:topics/oidc/java/application-clustering.adoc[Application Clustering] + + .. link:topics/oidc/javascript-adapter.adoc[JavaScript Adapter] + + .. link:topics/oidc/oidc-generic.adoc[Other OpenID Connect libraries] + {% if book.community %} + ... link:topics/oidc/mod-auth-openidc.adoc[mod_auth_oidc Apache HTTPD Module] + {% endif %} + + . link:topics/saml/saml-overview.adoc[SAML] + .. link:topics/saml/java/java-adapters.adoc[Java Adapters] + ... link:topics/saml/java/general-config.adoc[General Adapter Config] + .... link:topics/saml/java/general-config/sp_element.adoc[SP Element] + .... link:topics/saml/java/general-config/sp-keys.adoc[SP Keys and Key elements] + ..... link:topics/saml/java/general-config/sp-keys/keystore_element.adoc[KeyStore Element] + ..... link:topics/saml/java/general-config/sp-keys/key_pems.adoc[Key PEMS] + .... link:topics/saml/java/general-config/sp_principalname_mapping_element.adoc[SP PrincipalNameMapping element] + .... link:topics/saml/java/general-config/roleidentifiers_element.adoc[RoleIdentifiers element] + .... link:topics/saml/java/general-config/idp_element.adoc[IDP Element] + .... link:topics/saml/java/general-config/idp_singlesignonservice_subelement.adoc[IDP SingleSignOnService sub element] + .... link:topics/saml/java/general-config/idp_singlelogoutservice_subelement.adoc[IDP SingleLogoutService sub element] + .... link:topics/saml/java/general-config/idp_keys_subelement.adoc[IDP Keys subelement] + ... link:topics/saml/java/jboss-adapter.adoc[JBoss EAP/Wildfly Adapter] + .... link:topics/saml/java/jboss-adapter/jboss_adapter_installation.adoc[Adapter Installation] + .... link:topics/saml/java/jboss-adapter/required_per_war_configuration.adoc[Per WAR Configuration] + .... link:topics/saml/java/jboss-adapter/securing_wars.adoc[Securing WARs via SAML Subsystem] + {% if book.community %} + ... link:topics/saml/java/tomcat-adapter.adoc[Tomcat SAML adapters] + .... link:topics/saml/java/tomcat-adapter/tomcat_adapter_installation.adoc[Adapter Installation] + .... link:topics/saml/java/tomcat-adapter/tomcat_adapter_per_war_config.adoc[Per WAR Configuration] + ... link:topics/saml/java/jetty-adapter.adoc[Jetty SAML Adapters] + .... link:topics/saml/java/jetty-adapter/jetty9_installation.adoc[Jetty 9 Adapter Installation] + .... link:topics/saml/java/jetty-adapter/jetty9_per_war_config.adoc[Jetty 9 Per WAR Configuration] + .... link:topics/saml/java/jetty-adapter/jetty8-installation.adoc[Jetty 8 Adapter Installation] + .... link:topics/saml/java/jetty-adapter/jetty8-per_war_config.adoc[Jetty 8 Per WAR Configuration] + {% endif %} + ... link:topics/saml/java/servlet-filter-adapter.adoc[Java Servlet Filter Adapter] + ... link:topics/saml/java/idp-registration.adoc[Registering with an IDP] + ... link:topics/saml/java/logout.adoc[Logout] + ... link:topics/saml/java/assertion-api.adoc[Obtaining Assertion Attributes] + ... link:topics/saml/java/error_handling.adoc[Error Handling] + ... link:topics/saml/java/debugging.adoc[Troubleshooting] + {% if book.community %} + ... link:topics/saml/java/MigrationFromOlderVersions.adoc[Migration from older versions] + {% endif %} + .. link:topics/saml/mod-auth-mellon.adoc[mod_auth_mellon Apache HTTPD Module] + . link:topics/client-registration.adoc[Client Registration] \ No newline at end of file From 2154f029d4d1af9a6870c699ada4072a6695521b Mon Sep 17 00:00:00 2001 From: Stian Thorgersen Date: Fri, 10 Jun 2016 13:25:14 +0200 Subject: [PATCH 30/32] Update topics/oidc/javascript-adapter.adoc --- topics/oidc/javascript-adapter.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/topics/oidc/javascript-adapter.adoc b/topics/oidc/javascript-adapter.adoc index 77b60bd57a..10f6eabd41 100644 --- a/topics/oidc/javascript-adapter.adoc +++ b/topics/oidc/javascript-adapter.adoc @@ -13,7 +13,7 @@ specific as possible. To use the JavaScript adapter you must first create a client for your application in the {{book.project.name}} Administration Console. Make sure `public` is selected for `Access Type`. -You also need to configure valid redirect URIs and valid web origins. Be as specific as possible as failing to do so may results in a security vulnerability. +You also need to configure valid redirect URIs and valid web origins. Be as specific as possible as failing to do so may result in a security vulnerability. Once the client is created click on the `Installation` tab select `Keycloak OIDC JSON` for `Format Option` then click on `Download`. The downloaded `keycloak.json` file should be hosted on your web server at the same location as your HTML pages. From 80dbee6111d384b0f86bdbb682474edfdeb0818a Mon Sep 17 00:00:00 2001 From: Stian Thorgersen Date: Fri, 10 Jun 2016 13:26:49 +0200 Subject: [PATCH 31/32] Update topics/oidc/javascript-adapter.adoc --- topics/oidc/javascript-adapter.adoc | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/topics/oidc/javascript-adapter.adoc b/topics/oidc/javascript-adapter.adoc index 10f6eabd41..8e7bd0dd5e 100644 --- a/topics/oidc/javascript-adapter.adoc +++ b/topics/oidc/javascript-adapter.adoc @@ -122,7 +122,8 @@ your application. ==== Implicit and Hybrid Flow By default, the JavaScript adapter uses the http://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth[Authorization Code] flow. -With this flow the {{book.project.name}} server returns a authorization code, not a authentication token, to the application. The JavaScript adapter exchanges + +With this flow the {{book.project.name}} server returns an authorization code, not an authentication token, to the application. The JavaScript adapter exchanges the `code` for an access token and a refresh token after the browser is redirected back to the application. {{book.project.name}} also supports the http://openid.net/specs/openid-connect-core-1_0.html#ImplicitFlowAuth[Implicit] flow where an access token From e095fdb528a22a9b9506d9db880af8348aa8596a Mon Sep 17 00:00:00 2001 From: Stian Thorgersen Date: Fri, 10 Jun 2016 13:29:37 +0200 Subject: [PATCH 32/32] Update topics/oidc/javascript-adapter.adoc --- topics/oidc/javascript-adapter.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/topics/oidc/javascript-adapter.adoc b/topics/oidc/javascript-adapter.adoc index 8e7bd0dd5e..029a510afe 100644 --- a/topics/oidc/javascript-adapter.adoc +++ b/topics/oidc/javascript-adapter.adoc @@ -44,7 +44,7 @@ If the `keycloak.json` file is in a different location you can specify it: var keycloak = Keycloak('http://localhost:8080/myapp/keycloak.json')); ---- -You can also skip the file altogether and manually configure the adapter: +Alternatively, you can pass in a JavaScript object with the required configuration instead: [source,javascript] ----