KEYCLOAK-831 Modification to documentation for SAML artifact-binding
This commit is contained in:
Michal Hajas
Hynek Mlnařík
parent
1d4d351611
commit
79ec3f37a5
4 changed files with 41 additions and 13 deletions
|
|
@ -13,6 +13,9 @@ include::topics/templates/document-attributes-community.adoc[]
|
|||
:release_header_latest_link: {releasenotes_link_latest}
|
||||
include::topics/templates/release-header.adoc[]
|
||||
|
||||
== {project_name_full} 13.0.0
|
||||
include::topics/13_0_0.adoc[leveloffset=2]
|
||||
|
||||
== {project_name_full} 12.0.0
|
||||
include::topics/12_0_0.adoc[leveloffset=2]
|
||||
|
||||
|
|
|
|||
|
|
@ -11,3 +11,12 @@ especially with larger number of clients, because it is no longer necessary to g
|
|||
|
||||
Support for OAuth 2.0 Device Authorization Grant is now available. Thanks to https://github.com/wadahiro[Hiroyuki Wada], https://github.com/splatch[Łukasz Dywicki]
|
||||
and https://github.com/Michito-Okai[Michito Okai].
|
||||
|
||||
== SAML Artifact binding in server to client communication
|
||||
|
||||
Keycloak now supports communication with clients using SAML _Artifact_ binding. A new `Force Artifact Binding` option
|
||||
was introduced in the client configuration, that forces communication with the client using artifact messages. For more
|
||||
details proceed to link:{adminguide_link_latest}#_client_saml_configuration[{adminguide_name}]. Please note, that with
|
||||
this version, Keycloak SAML client adapter does NOT support _Artifact_ binding.
|
||||
|
||||
Thanks to https://github.com/AlistairDoswald[AlistairDoswald] and https://github.com/harture[harture].
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
|
||||
[[_client_saml_configuration]]
|
||||
=== SAML Clients
|
||||
|
||||
{project_name} supports <<_saml,SAML 2.0>> for registered applications.
|
||||
|
|
@ -54,6 +54,11 @@ Include AuthnStatement::
|
|||
This is enabled by default, which means that `AuthStatement` element will be included in login responses. Note that setting this to off
|
||||
would prevent the client from determining the maximum session length which could result into never expiring client session.
|
||||
|
||||
Force Artifact Binding::
|
||||
When turned on, this will force {project_name} to send artifact messages instead of SAML messages via _POST_ and _Redirect_,
|
||||
even when the client has not asked for the binding during login. This must be set if _Artifact_ binding is to be used with
|
||||
Idp-initiated login. To use artifact messages also during logout, it is necessary to also configure `Logout Service Redirect Binding URL`.
|
||||
|
||||
Sign Documents::
|
||||
When turned on, {project_name} will sign the document using the realm's private key.
|
||||
|
||||
|
|
@ -89,7 +94,7 @@ Canonicalization Method::
|
|||
|
||||
Encrypt Assertions::
|
||||
Encrypt assertions in SAML documents with the realm's private key.
|
||||
The AES algorithm is used with a key size of 128 bits.
|
||||
The AES algorithm is used with a key size of 128 bits.
|
||||
|
||||
Client Signature Required::
|
||||
Expect that documents coming from a client are signed.
|
||||
|
|
@ -105,12 +110,12 @@ Front Channel Logout::
|
|||
If this switch is false, then {project_name} will invoke a background SAML request to logout the application.
|
||||
|
||||
Force Name ID Format::
|
||||
If the request has a name ID policy, ignore it and used the value configured in the admin console under Name ID Format
|
||||
If the request has a name ID policy, ignore it and used the value configured in the admin console under Name ID Format
|
||||
|
||||
Name ID Format::
|
||||
Name ID Format for the subject.
|
||||
If no name ID policy is specified in the request or if the Force Name ID Format attribute is true, this value is used.
|
||||
Properties used for each of the respective formats are defined below.
|
||||
Properties used for each of the respective formats are defined below.
|
||||
|
||||
Root URL::
|
||||
If {project_name} uses any configured relative URLs, this value is prepended to them.
|
||||
|
|
@ -127,18 +132,25 @@ Base URL::
|
|||
Master SAML Processing URL::
|
||||
This URL will be used for all SAML requests and the response will be directed to the SP.
|
||||
It will be used as the Assertion Consumer Service URL and the Single Logout Service URL.
|
||||
If a login request contains the Assertion Consumer Service URL, that will take precedence, but this URL must be validated by a registered Valid Redirect URI pattern
|
||||
If a login request contains the Assertion Consumer Service URL, that will take precedence, but this URL must be validated by a registered Valid Redirect URI pattern
|
||||
|
||||
Assertion Consumer Service POST Binding URL::
|
||||
POST Binding URL for the Assertion Consumer Service.
|
||||
POST Binding URL for the Assertion Consumer Service.
|
||||
|
||||
Assertion Consumer Service Redirect Binding URL::
|
||||
Redirect Binding URL for the Assertion Consumer Service.
|
||||
Redirect Binding URL for the Assertion Consumer Service.
|
||||
|
||||
Logout Service POST Binding URL::
|
||||
POST Binding URL for the Logout Service.
|
||||
POST Binding URL for the Logout Service.
|
||||
|
||||
Logout Service Redirect Binding URL::
|
||||
Redirect Binding URL for the Logout Service.
|
||||
Redirect Binding URL for the Logout Service.
|
||||
|
||||
Logout Service Artifact Binding URL::
|
||||
_Artifact_ Binding URL for the Logout Service. When set together with the `Force Artifact Binding` option, _Artifact_ binding is forced for both login and logout flows. _Artifact_ binding is not used for logout unless this property is set.
|
||||
|
||||
Artifact Binding URL::
|
||||
URL to send the HTTP artifact messages to.
|
||||
|
||||
Artifact Resolution Service::
|
||||
URL of the client SOAP endpoint where to send the `ArtifactResolve` messages to.
|
||||
|
|
|
|||
|
|
@ -61,6 +61,14 @@ is always better than in the more limited URL.
|
|||
ECP stands for "Enhanced Client or Proxy", a SAML v.2.0 profile which allows for the exchange of SAML attributes outside the context of a web browser.
|
||||
This is used most often for REST or SOAP-based clients.
|
||||
|
||||
===== Artifact Binding
|
||||
|
||||
The SAML _Artifact_ binding works alongside the standard _Redirect_ or _POST_ bindings. The purpose of this binding is
|
||||
to prevent SAML messages from passing by the browser. When a SAML message would be sent to the application or the {project_name}, it is instead saved and in its place a Redirect or a POST is sent containing an unique identifier (this is the artifact).
|
||||
The contacted party uses SOAP to send a message containing the artifact directly to the originator, which in turn replies via SOAP with the saved SAML message.
|
||||
|
||||
This binding can have some security benefits, for example when the user is not trusted with the contents of a SAML assertion. Instead, they are exchanged between the application and {project_name} via SOAP.
|
||||
|
||||
==== {project_name} Server SAML URI Endpoints
|
||||
|
||||
{project_name} really only has one endpoint for all SAML requests.
|
||||
|
|
@ -68,7 +76,3 @@ This is used most often for REST or SOAP-based clients.
|
|||
`http(s)://authserver.host/auth/realms/{realm-name}/protocol/saml`
|
||||
|
||||
All bindings use this endpoint.
|
||||
|
||||
|
||||
|
||||
|
||||
|
|
|
|||
Loading…
Reference in a new issue