libre.sh/keycloak-scim
4
0
Fork 0
Code Issues 15 Pull requests Releases 1 Activity Actions

Merge pull request #12 from ssilvert/master

Browse source 
Minor changes from beginning through Chapter 7, Authentication
This commit is contained in:
Bill Burke 2016-06-02 16:07:37 -04:00
commit 79fe2a0ed1
16 changed files with 66 additions and 66 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
topics/authentication.adoc
View file

@ -1,7 +1,7 @@
== Authentication
There's a few features you should be aware of when configuring authentication for your realm. Many organizations
have strict password an OTP policies that you can enforce via settings in the Admin Console. You may or may not
There are a few features you should be aware of when configuring authentication for your realm. Many organizations
have strict password and OTP policies that you can enforce via settings in the Admin Console. You may or may not
want to require different credential types for authentication. You may want to give users the option to login via
Kerberos or disable or enable various built in credential types. This chapter covers all of these topics.

8
topics/authentication/flows.adoc
View file

@ -6,9 +6,9 @@ An _authentication flow_ is a container for all authentications, screens, and ac
{{book.project.name}} work flows.
If you go to the admin console `Authentication` left menu item and go to the `Flows` tab, you can view all the defined flows
in the system and what actions and checks each flow requires. This section does a walk through of the browser login flow. In the
left drop down list selected `browser` to come to the screen shown below:
left drop down list select `browser` to come to the screen shown below:
.browser flow
.Browser Flow
image:../../{{book.images}}/browser-flow.png[]
If you hover over the tooltip (the tiny question mark) to the right of the flow selection list, this will describe what the
@ -38,10 +38,10 @@ This is better described in an example. Let's walk through the `browser` authen
Since the cookie provider returned success and each execution at this level of the flow is _alternative_, no other execution is executed and this results in a successful login.
. Next the flow looks at the Kerberos execution. This authenticator is disabled by default and will be skipped.
. The next execution is a subflow called Forms. Since this subflow is marked as _alternative_ it will not be executed if the `Cookie` authentication type passed.
This subflow contains additional authentication type that need to be executed.
This subflow contains additional authentication type that needs to be executed.
The executions for this subflow are loaded and the same processing logic occurs
. The first execution in the Forms subflow is the Username Password Form. This authentication type renders the username and password page.
it is marked as _required_ so the use must enter in a valid username and password.
It is marked as _required_ so the user must enter in a valid username and password.
. The next execution is the OTP Form.
This is marked as _optional_. If the user has OTP set up, then this authentication type must run and be successful. If the user doesn't
have OTP set up, this authentication type is ignored.

36
topics/authentication/kerberos.adoc
View file

@ -43,14 +43,14 @@ At least you will need to:
For example if your {{book.project.name}} server will be running on `www.mydomain.org` you may need to add principal `HTTP/www.mydomain.org@MYDOMAIN.ORG`
assuming that MYDOMAIN.ORG will be your Kerberos realm.
+
For example on MIT Kerberos you can run "kadmin" session.
If you are on same machine where is MIT Kerberos, you can simply use command:
For example on MIT Kerberos you can run a "kadmin" session.
If you are on the same machine where is MIT Kerberos, you can simply use the command:
[source]
----
sudo kadmin.local
----
Then add HTTP principal and export his key to keytab file with the commands like:
Then add HTTP principal and export his key to a keytab file with the commands like:
[source]
----
@ -59,14 +59,14 @@ addprinc -randkey HTTP/www.mydomain.org@MYDOMAIN.ORG
ktadd -k /tmp/http.keytab HTTP/www.mydomain.org@MYDOMAIN.ORG
----
Keytab file `/tmp/http.keytab` will need to be accessible on the host where {{book.project.name}} server will be running.
The Keytab file `/tmp/http.keytab` will need to be accessible on the host where {{book.project.name}} server will be running.
==== Setup and configuration of {{book.project.name}} server
You need to install a kerberos client on your machine. This is also platform dependent.
If you are on Fedora, Ubuntu or RHEL, you can install the package `freeipa-client`, which contains a Kerberos client and bunch of other utilities.
Configure kerberos client (on linux it's in file `/etc/krb5.conf` ). You need to put your Kerberos realm and at least configure the HTTP domains your server will be running on.
For the example realm MYDOMAIN.ORG you may configure `domain_realm` section like this:
If you are on Fedora, Ubuntu or RHEL, you can install the package `freeipa-client`, which contains a Kerberos client and several other utilities.
Configure the kerberos client (on linux it's in file `/etc/krb5.conf` ). You need to put your Kerberos realm and at least configure the HTTP domains your server will be running on.
For the example realm MYDOMAIN.ORG you may configure the `domain_realm` section like this:
[source]
----
@ -77,15 +77,15 @@ For the example realm MYDOMAIN.ORG you may configure `domain_realm` section like
Next you need to export the keytab file with the HTTP principal and make sure the file is accessible to the process under which {{book.project.name}} server is running.
For production, it's ideal if it's readable just by this process and not by someone else.
For MIT Kerberos example above, we already exported keytab to `/tmp/http.keytab` . If your KDC and {{book.project.name}} are running on same host,
For the MIT Kerberos example above, we already exported keytab to `/tmp/http.keytab` . If your KDC and {{book.project.name}} are running on same host,
you have that file already available.
===== Enable SPNEGO Processing
{{book.project.name}} does not have SPNEGO protocol support turned on by default. So, you have to go to the <<fake/../../authentication/flows.adoc#_authentication-flows, browser flow>>
{{book.project.name}} does not have the SPNEGO protocol support turned on by default. So, you have to go to the <<fake/../../authentication/flows.adoc#_authentication-flows, browser flow>>
and enable `Kerberos`.
.browser flow
.Browser Flow
image:../../{{book.images}}/browser-flow.png[]
Switch the `Kerberos` requirement from _disabled_ to either _alternative_ or _required_. _Alternative_ basically means that Kerberos is optional. If
@ -112,17 +112,17 @@ left menu item and select `Kerberos` from the right `Add provider` select box.
.Kerberos User Storage Provider
image:../../{{book.images}}/kerberos-provider.png[]
This provider simply parses the Kerberos ticket for principal information and does a small import into the local {{book.project.name}} database.
User profile information like first name, last name, and email are not provisioned. Just simple user principal information.
This provider parses the Kerberos ticket for simple principal information and does a small import into the local {{book.project.name}} database.
User profile information like first name, last name, and email are not provisioned.
==== Setup and configuration of client machines
Clients need to install kerberos client and setup krb5.conf as described above.
Additionally they need to enable SPNEGO login support in their browser.
See link:http://www.microhowto.info/howto/configure_firefox_to_authenticate_using_spnego_and_kerberos.html[configuring Firefox for Kerberos] if you are using that browser.
URI `.mydomain.org` must be allowed in `network.negotiate-auth.trusted-uris` config option.
URI `.mydomain.org` must be allowed in the `network.negotiate-auth.trusted-uris` config option.
In windows domain, clients usually don't need to configure anything special as IE is already able to participate in SPNEGO authentication for the windows domain.
In a Windows domain, clients usually don't need to configure anything special as IE is already able to participate in SPNEGO authentication for the Windows domain.
{% if book.community %}
==== Example setups
@ -138,12 +138,12 @@ See details https://github.com/mposolda/keycloak-freeipa-docker/blob/master/READ
===== ApacheDS testing Kerberos server
For quick testing and unit tests, we use very simple http://directory.apache.org/apacheds/[ApacheDS] Kerberos server.
You need to build {{book.project.name}} from sources and then run Kerberos server with maven-exec-plugin from our testsuite.
For quick testing and unit tests, we use a very simple http://directory.apache.org/apacheds/[ApacheDS] Kerberos server.
You need to build {{book.project.name}} from sources and then run the Kerberos server with maven-exec-plugin from our testsuite.
See details https://github.com/keycloak/keycloak/blob/master/misc/Testsuite.md#kerberos-server[here] .
{% endif %}
==== Credential delegation
==== Credential Delegation
Kerberos 5 supports the concept of credential delegation. In this scenario, your applications may want access to the Kerberos ticket so that
they can re-use it to interact with other services secured by Kerberos. Since the SPNEGO protocol is processed in the {{book.project.name}} server,
@ -158,7 +158,7 @@ We have an example, that shows this in detail.
It's in `examples/kerberos` in the {{book.project.name}} example distribution or demo distribution download.
You can also check the example sources directly https://github.com/keycloak/keycloak/blob/master/examples/kerberos[here] .
Once you deserialize the credential from the access token to the GSSCredential object, then GSSContext will need to be created with this credential
Once you deserialize the credential from the access token to the GSSCredential object, the GSSContext will need to be created with this credential
passed to the method `GSSManager.createContext` for example like this:
[source]

12
topics/authentication/otp-policies.adoc
View file

@ -2,7 +2,7 @@
=== OTP Policies
{{book.project.name}} has a number of policies you can set up for your FreeOTP or Google Authenticator One-Time Password
generator. Click on the `Authentication` left menu item and got to the `OTP Policy` tab.
generator. Click on the `Authentication` left menu item and go to the `OTP Policy` tab.
.OTP Policy
image:../../{{book.images}}/otp-policy.png[]
@ -13,15 +13,15 @@ generated from information configured on the `OTP Policy` tab.
==== TOTP vs. HOTP
There are two different algorithms to choose from for your OTP generators. Time Based (TOTP) and Counter Based (HOTP) based.
For TOTP, your token generator will hash the current time and a share secret. The server validates the OTP by comparing
There are two different algorithms to choose from for your OTP generators. Time Based (TOTP) and Counter Based (HOTP).
For TOTP, your token generator will hash the current time and a shared secret. The server validates the OTP by comparing
the all hashes within a certain window of time to the submitted value. So, TOTPs are valid only for a short window of time (usually 30 seconds).
For HOTP a shared counter is used instead of the current time. The server increments the counter each successful OTP login. So, valid OTPs only
For HOTP a shared counter is used instead of the current time. The server increments the counter with each successful OTP login. So, valid OTPs only
change after a successful login.
TOTP is considered a little more secure because the matchable OTP is only valid for a short window of time while the OTP for HOTP can
be valid for an indeterminate amount of time. HOTP is much more user friendly as the user won't have to hurry to enter in their
OTP before the time interval is up. With the way {{book.project.name}} has implement TOTP this distinction becomes a little more
OTP before the time interval is up. With the way {{book.project.name}} has implemented TOTP this distinction becomes a little more
blurry. HOTP requires a database update every time the server wants to increment the counter. This can be a performance drain
on the authentication server when there is heavy load. So, to provide a more efficient alternative, TOTP does not remember passwords
used. This bypasses the need to do any DB updates, but the downside is that TOTPs can be re-used in the valid time interval. For future
@ -50,7 +50,7 @@ Number of Digits::
Look Ahead Window::
How many counters ahead should the server try and match the hash? The default value is 1. This exists to cover the case
where the user's counter gets ahead of the server's. This can often happen as users often increment the counter
manually too many times by accident. This value really should be increased to like a value of 10 or so.
manually too many times by accident. This value really should be increased to a value of 10 or so.
Initial Counter::
What is the value of the initial counter?

2
topics/login-settings.adoc
View file

@ -1,4 +1,4 @@
== Login Page Settings
There are a bunch of nice built in login page features you can enable if you need the functionality.
There are several nice built in login page features you can enable if you need the functionality.

2
topics/login-settings/forgot-password.adoc
View file

@ -18,7 +18,7 @@ to a page where they can enter in their username or email and receive an email w
.Forgot Password Page
image:../../{{book.images}}/forgot-password-page.png[]
The text sent in the email is completely configurable you just need to extend or edit the theme associated with it.
The text sent in the email is completely configurable. You just need to extend or edit the theme associated with it.
See the link:{{book.developerguide.link}}[{{book.developerguide.name}}] for more information.
When the user clicks on the email link, they will be asked to update their password, and, if they have an OTP generator

22
topics/overview/concepts.adoc
View file

@ -6,12 +6,12 @@ and REST services.
users::
Users are entities that are able to log into your system. They can have attributes associated with themselves like email,
username, address, phone number, and birth day. They can be assign group membership and have specific roles assigned to them.
username, address, phone number, and birth day. They can be assigned group membership and have specific roles assigned to them.
authentication::
The process of identifying and validating a user.
authorization::
The process of granting access to a user.
credentials:
credentials::
Credentials are pieces of data that {{book.project.name}} uses to verify the identity of a user. Some examples are passwords,
one-time-passwords, digital certificates, or even fingerprints.
roles::
@ -24,7 +24,7 @@ user role mapping::
various resources they manage
composite roles::
A composite role is a role that can be associated with other roles. For example a `superuser` composite role could be associated with the
`sales-admin` and 'order-entry-admin` roles. If a user is mapped to the `superuser` role they also inherit the `sales-admin` and `order-entry-admin` roles.
`sales-admin` and `order-entry-admin` roles. If a user is mapped to the `superuser` role they also inherit the `sales-admin` and `order-entry-admin` roles.
groups::
Groups manage groups of users. Attributes can be defined for a group. You can map roles to a group as well. Users that become members of a group
inherit the attributes and role mappings that group defines.
@ -36,14 +36,14 @@ clients::
want to use {{book.project.name}} to secure themselves and provide a single sign-on solution. Clients can also be entities that just want to request
identity information or an access token so that they can securely invoke other services on the network that are secured by {{book.project.name}}
client adapters::
Client adapters are plugins that you have to install into your application environment to be able to communicate and be secured by {{book.project.name}}. {{book.project.name}}
has a number of ones for different platforms that you can download. There's also third-party ones you can get for environments that we don't cover.
Client adapters are plugins that you install into your application environment to be able to communicate and be secured by {{book.project.name}}. {{book.project.name}}
has a number of adapters for different platforms that you can download. There are also third-party adapters you can get for environments that we don't cover.
consent::
Consent is when you as an admin want a user to give permission to a client before that client can participate in the authentication process.
After a user provides their credentials, {{book.project.name}} will pop up a screen identifying the client requesting a login and what identity
informationis requesting of the user. User can decide whether or not to grant the request.
information is requested of the user. User can decide whether or not to grant the request.
client templates::
When a client is registered you need to enter in a bunch of configuration information about that client. It is often useful to store a template
When a client is registered you need to enter configuration information about that client. It is often useful to store a template
of this to make create new clients easier. {{book.project.name}} provides the concept of a client template for this.
client role::
Clients can define roles that are specific to them. This is basically a role namespace dedicated to the client.
@ -56,7 +56,7 @@ assertion::
Information about a user. This usually pertains to an XML blob that is included in a SAML authentication response that
provided identity metadata about an authenticated user.
service account::
Each client has a built in service account which allows them to obtain an access token.
Each client has a built in service account which allows it to obtain an access token.
direct grant::
A way for a client to obtain an access token on behalf of a user via a REST invocation.
protocol mappers::
@ -72,18 +72,18 @@ identity provider::
An identity provider (IDP) is a service that can authenticate a user. {{book.project.name}} is an IDP.
identity provider federation::
{{book.project.name}} can be configured to delegate authentication to one or more IDPs. Social login via
Facebook or Google+ is an example of identity provider federation. You can also hook {{boook.project.name}} to delegate
Facebook or Google+ is an example of identity provider federation. You can also hook {{book.project.name}} to delegate
authentication to any other Open ID Connect or SAML 2.0 IDP.
identity provider mappers::
When doing IDP federation you can map incoming tokens and assertions to user and session attributes. This helps you propagate identity information from the external IDP
to your client requesting authentication.
required actions::
Required actions are actions a user must before immediately after they log in. A user will not be able to complete the authentication process until these actions
Required actions are actions a user must perform during the authentication process. A user will not be able to complete the authentication process until these actions
are complete. For example, an admin may schedule users to reset their passwords every month. An `update password` required action would be set for all these
users.
authentication flows::
Authentication flows are work flows a user must perform when interacting with certain aspects of the system. A login flow can define
what credential types are required. A registration flow defines what profile information a user must enter and whether something like Recaptcha
what credential types are required. A registration flow defines what profile information a user must enter and whether something like reCAPTCHA
must be used to filter out bots. Credential reset flow defines what actions a user must do before they can reset their password.
events::
Events are audit streams that admins can view and hook into.

2
topics/realms/create.adoc
View file

@ -11,7 +11,7 @@ this to add a realm.
image:../../{{book.images}}/add-realm-menu.png[]
This menu option will bring you to the `Add Realm` page. Specify the realm name you want to define and click the `Create` button.
Alternatively you and import a JSON document that defines your new realm. We'll go over this in more detail in the
Alternatively you can import a JSON document that defines your new realm. We'll go over this in more detail in the
<<fake/../../export-import.adoc#_export_import, Export and Import>> chapter.
.Create Realm

2
topics/realms/email.adoc
View file

@ -8,7 +8,7 @@ To enable {{book.project.name}} to send emails you need to provide {{book.projec
This is configured per realm. Go to the `Realm Settings` left menu
item and click the `Email` tab.
.Themes Tab
.Email Tab
image:../../{{book.images}}/email-tab.png[]
As emails are used for recovering usernames and passwords it's recommended to use SSL or TLS, especially if the SMTP server is on an external network.

4
topics/realms/keys.adoc
View file

@ -2,10 +2,10 @@
=== Realm Key Pairs
The authentication protocols that are used by {{book.project.name}} require cryptographic signatures and sometimes even
encryption. {{book.project.name}} uses a asymmetric key pair, a private and public key to accomplish this. When a realm
encryption. {{book.project.name}} uses an asymmetric key pair, a private and public key to accomplish this. When a realm
is created a key pair is automatically generated. It is recommended that you cycle this key pair occasionally. How often
you do this is dependent on your organizational needs and security requirements as you have to make sure every application
that needs the public or certificate of your realm get this updated. This can be a lot of work!
that needs the public key or certificate of your realm gets this updated. This can be a lot of work!
To cycle a key pair click on the `Realm Settings` left menu item, go to the `Keys` tab, and push the `Generate new keys` button.

2
topics/realms/themes.adoc
View file

@ -25,7 +25,7 @@ The link:{{book.developerguide.link}}[{{book.developerguide.name}}] goes into ho
==== Internationalization
Every UI screen is internationalized in {{book.project.name}}. The default language is english, but if you turn on the
Every UI screen is internationalized in {{book.project.name}}. The default language is English, but if you turn on the
`Internationalization` switch on the `Theme` tab you can choose which locales you want to support and what the default locale
will be. The next time a user logs in, they will be able to choose a language on the login page to use for the login screens,
User Account Management UI, and Admin Console. The link:{{book.developerguide.link}}[{{book.developerguide.name}}] explains

2
topics/users/attributes.adoc
View file

@ -2,7 +2,7 @@
=== User Attributes
Beyond basic user metadata like name and email, you can store arbitrary user attributes. Choose a user to manage
then click on their `Attributes` tab.
then click on the `Attributes` tab.
.Users
image:../../{{book.images}}/user-attributes.png[]

4
topics/users/impersonation.adoc
View file

@ -3,7 +3,7 @@
It is often useful for an admin to impersonate a user. For example, a user may be experiencing a bug in one of your applications and
an admin may want to impersonate the user to see if they can duplicate the problem. Admins with the appropriate permission
can impersonate a user. There is two locations an admin can initiate impersonation. The first is on the `Users` list tab.
can impersonate a user. There are two locations an admin can initiate impersonation. The first is on the `Users` list tab.
.Users
image:../../{{book.images}}/user-search.png[]
@ -20,7 +20,7 @@ Near the bottom of the page you can see the `Impersonate` button. Click that to
When impersonating, if the admin and the user are in the same realm, then the admin will be logged out and automatically logged
in as the user being impersonated. If the admin and user are not in the same realm, the admin will remain logged in, but additionally
be logged in as the user in that user's realm. In both cases, the browser will be redirected to the impersonated user's User Accoutn Management
be logged in as the user in that user's realm. In both cases, the browser will be redirected to the impersonated user's User Account Management
page.
Any user with the realm's `impersonation` role can impersonate a user. Please see the <<fake/../../admin-console-permissions.adoc#_admin_permissions,Admin Console Access Control>> chapter

26
topics/users/recaptcha.adoc
View file

@ -1,37 +1,37 @@
[[_recaptcha]]
==== Recaptcha Support
==== reCAPTCHA Support
To safeguard registration against bots, {{book.project.name}} has integration with Google Recaptcha.
To safeguard registration against bots, {{book.project.name}} has integration with Google reCAPTCHA.
To enable this you need to first go to link:https://developers.google.com/recaptcha/[Google Recaptcha Website]
and create an API key so that you can get your recaptcha site key and secret.
and create an API key so that you can get your reCAPTCHA site key and secret.
(FYI, localhost works by default so you don't have to specify a domain).
Next, there's a few steps you need to perform in the {{book.project.name}} Admin Console.
Click the `Authentication` left menu itme and go to the `Flows` tab. Select the `Registration` flow from the drop down
Next, there are a few steps you need to perform in the {{book.project.name}} Admin Console.
Click the `Authentication` left menu item and go to the `Flows` tab. Select the `Registration` flow from the drop down
list on this page.
.Registration Flow
image:../../{{book.images}}/registration-flow.png[]
Set the 'Recaptcha' requirement to `Required` by clicking the appropriate radio button. This will enable
Recaptcha on the screen. Next, you have to enter in the Recaptcha site key and secret that you generated at the Google Recaptcha Website.
Click on the 'Configure' button that is to the right of the Recaptcha flow entry and enter in the Recaptcha site key and secret on this config page.
Set the 'reCAPTCHA' requirement to `Required` by clicking the appropriate radio button. This will enable
reCAPTCHA on the screen. Next, you have to enter in the reCAPTCHA site key and secret that you generated at the Google reCAPTCHA Website.
Click on the 'Configure' button that is to the right of the reCAPTCHA flow entry and enter in the reCAPTCHA site key and secret on this config page.
.Recaptcha Config Page
image:../../{{book.images}}/recaptcha-config.png[]
The final step you have to do is to change some default HTTP response headers that {{book.project.name}} sets. {{book.project.name}}
will prevent website from including any login page within an iframe. This is to prevent clickjacking attacks. You need to
will prevent a website from including any login page within an iframe. This is to prevent clickjacking attacks. You need to
authorize Google to use the registration page within an iframe. Go to
the `Realm Settings` left menu item and then go to the `Security Defenses` tab. Y
ou'll need to add `https://www.google.com` to the values of both the `X-Frame-Options` and `Content-Security-Policy` headers.
the `Realm Settings` left menu item and then go to the `Security Defenses` tab. You will need to add `https://www.google.com` to the
values of both the `X-Frame-Options` and `Content-Security-Policy` headers.
.Authorizing Iframes
image:../../{{book.images}}/security-headers.png[]
Once you do this, Recaptcha should show up on your registration page. You may want to edit _register.ftl_ in your login
theme to muck around with the placement and styling of the recaptcha button. See the link:{{book.developerguide.link}}[{{book.developerguide.name}}]
Once you do this, reCAPTCHA should show up on your registration page. You may want to edit _register.ftl_ in your login
theme to muck around with the placement and styling of the reCAPTCHA button. See the link:{{book.developerguide.link}}[{{book.developerguide.name}}]
for more information on extending and creating themes.

2
topics/users/required-actions.adoc
View file

@ -33,7 +33,7 @@ the default required actions go to the `Authentication` left menu item and click
.Default Required Actions
image:../../{{book.images}}/default-required-actions.png[]
Simple click the checkbox in the `Default Action` column of the required actions that you want to be executed when a brand new user logs in.
Simply click the checkbox in the `Default Action` column of the required actions that you want to be executed when a brand new user logs in.
==== Terms and Conditions

2
topics/users/viewing.adoc
View file

@ -1,7 +1,7 @@
=== Searching For Users
If you need to manage a specific user, click on `Users` in the left menu bar. T
If you need to manage a specific user, click on `Users` in the left menu bar.
.Users
image:../../{{book.images}}/users.png[]