libre.sh/keycloak-scim
3
0
Fork 0
Code Issues 15 Pull requests Releases Packages Activity Actions

Move saml documentation to guides

Browse source 
Closes #31330

Signed-off-by: rmartinc <rmartinc@redhat.com>
This commit is contained in:
rmartinc 2024-07-22 10:16:24 +02:00 committed by Marek Posolda
parent aab7a912c4
commit ccab30d5f2
44 changed files with 260 additions and 183 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
docs/documentation/release_notes/topics/11_0_0.adoc
View file

@ -26,7 +26,7 @@ please take a look at link:{upgradingguide_link_latest}[{upgradingguide_name}].
The `SameSite` value `None` for `JSESSIONID` cookie is necessary for correct behavior of the {project_name} SAML adapter. The `SameSite` value `None` for `JSESSIONID` cookie is necessary for correct behavior of the {project_name} SAML adapter.
Usage of a different value is causing resetting of the container's session with each request to {project_name}, when Usage of a different value is causing resetting of the container's session with each request to {project_name}, when
the SAML POST binging is used. Refer to the following steps for the SAML POST binging is used. Refer to the following steps for
link:{adapterguide_link}#_saml-jboss-adapter-samesite-setting[Wildfly] to keep the correct behavior. Notice, that this link:https://www.keycloak.org/guides#securing-apps[Keycloak SAML Galleon feature pack for WildFly and EAP] guide to keep the correct behavior. Notice, that this
workaround should be working also with the previous versions of the adapter. workaround should be working also with the previous versions of the adapter.
== Other improvements == Other improvements
@ -36,4 +36,4 @@ workaround should be working also with the previous versions of the adapter.
* Czech translation. Thanks to https://github.com/jakubknejzlik[Jakub Knejzlík] * Czech translation. Thanks to https://github.com/jakubknejzlik[Jakub Knejzlík]
* Possibility to fetch additional fields from the Facebook identity provider. Thanks to https://github.com/BartoszSiemienczuk[Bartosz Siemieńczuk] * Possibility to fetch additional fields from the Facebook identity provider. Thanks to https://github.com/BartoszSiemienczuk[Bartosz Siemieńczuk]
* Support for AES 192 and AES 256 algorithms used for signed and encrypted ID tokens. Thanks to https://github.com/tnorimat[Takashi Norimatsu] * Support for AES 192 and AES 256 algorithms used for signed and encrypted ID tokens. Thanks to https://github.com/tnorimat[Takashi Norimatsu]
* Ability to specify signature algorithm in Signed JWT Client Authentication. Thanks to https://github.com/tnorimat[Takashi Norimatsu] * Ability to specify signature algorithm in Signed JWT Client Authentication. Thanks to https://github.com/tnorimat[Takashi Norimatsu]

1
docs/documentation/securing_apps/topics.adoc
View file

@ -37,7 +37,6 @@ include::topics/oidc/recommendations.adoc[]
include::topics/saml/saml-overview.adoc[] include::topics/saml/saml-overview.adoc[]
ifeval::[{project_community}==true] ifeval::[{project_community}==true]
include::topics/saml/java/java-adapters.adoc[]
include::topics/saml/mod-auth-mellon.adoc[] include::topics/saml/mod-auth-mellon.adoc[]
endif::[] endif::[]
ifeval::[{project_product}==true] ifeval::[{project_product}==true]

14
docs/documentation/securing_apps/topics/overview/getting-started.adoc
View file

@ -39,17 +39,3 @@ ifeval::[{project_community}==true]
* https://github.com/OpenIDC/mod_auth_openidc[mod_auth_openidc] * https://github.com/OpenIDC/mod_auth_openidc[mod_auth_openidc]
endif::[] endif::[]
==== SAML
===== Java
* <<_saml_jboss_adapter,JBoss EAP>>
ifeval::[{project_community}==true]
* <<_saml_jboss_adapter,WildFly>>
endif::[]
ifeval::[{project_community}==true]
===== Apache HTTP Server
* <<_mod_auth_mellon,mod_auth_mellon>>
endif::[]

11
docs/documentation/securing_apps/topics/saml/java/MigrationFromOlderVersions.adoc
View file

@ -1,11 +0,0 @@
==== Migration from older versions
===== Migrating to 1.9.0
====== SAML SP Client Adapter changes
Keycloak SAML SP Client Adapter now requires a specific endpoint, `/saml` to be registered with your IdP.
The SamlFilter must also be bound to /saml in addition to any other binding it has.
This had to be done because SAML POST binding would eat the request input stream and this would be really bad for clients that relied on it.

20
docs/documentation/securing_apps/topics/saml/java/java-adapters-product.adoc
View file

@ -1,20 +0,0 @@
=== {project_name} Java adapters
{project_name} comes with a range of different adapters for Java application. Selecting the correct adapter depends on the target platform.
[[_saml_jboss_adapter]]
==== Red Hat JBoss Enterprise Application Platform
===== 8.0 Beta
{project_name} provides a SAML adapter for Red Hat Enterprise Application Platform 8.0 Beta. However, the documentation
is not currently available, and will be added in the near future.
===== 6.4 and 7.x
Existing applications deployed to Red Hat JBoss Enterprise Application Platform 6.4 and 7.x can leverage adapters from
Red Hat Single Sign-On 7.6 in combination with the {project_name} server.
For more information, see the
https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.6/html/securing_applications_and_services_guide/using_saml_to_secure_applications_and_services#saml_jboss_adapter[Red Hat Single Sign-On documentation].

36
docs/documentation/securing_apps/topics/saml/java/java-adapters.adoc
View file

@ -1,36 +0,0 @@
=== {project_name} Java adapters
{project_name} comes with a range of different adapters for Java application. Selecting the correct adapter depends on the target platform.
include::general-config.adoc[]
include::general-config/sp_element.adoc[]
include::general-config/sp-keys.adoc[]
include::general-config/sp-keys/keystore_element.adoc[]
include::general-config/sp-keys/key_pems.adoc[]
include::general-config/sp_principalname_mapping_element.adoc[]
include::general-config/roleidentifiers_element.adoc[]
include::general-config/sp_role_mappings_provider_element.adoc[]
include::general-config/idp_element.adoc[]
include::general-config/idp_allowedclockskew_subelement.adoc[]
include::general-config/idp_singlesignonservice_subelement.adoc[]
include::general-config/idp_singlelogoutservice_subelement.adoc[]
include::general-config/idp_keys_subelement.adoc[]
include::general-config/idp_httpclient_subelement.adoc[]
include::saml-jboss-adapter.adoc[]
include::jboss-adapter/jboss_adapter_installation.adoc[]
include::jboss-adapter/jboss-adapter-samesite-setting.adoc[]
include::jboss-adapter/required_per_war_configuration.adoc[]
include::jboss-adapter/securing_wars.adoc[]
ifeval::[{project_community}==true]
endif::[]
include::idp-registration.adoc[]
include::logout.adoc[]
include::assertion-api.adoc[]
include::error_handling.adoc[]
include::debugging.adoc[]
include::multi-tenancy.adoc[]
ifeval::[{project_community}==true]
include::MigrationFromOlderVersions.adoc[]
endif::[]

15
docs/documentation/securing_apps/topics/saml/java/jboss-adapter/jboss_adapter_installation.adoc
View file

@ -1,15 +0,0 @@
[[_saml-jboss-adapter-installation]]
==== Installing adapters from a Galleon feature pack
For the WildFly 29 or newer, the SAML adapter is provided as a Galleon feature pack. More details about this is
in the https://docs.wildfly.org/30/WildFly_Elytron_Security.html#Keycloak_SAML_Integration[WildFly documentation]. The same option will be provided
for JBoss EAP 8 GA.
{project_name} provided adapter ZIP download in the past, but it is not provided anymore. For the older WildFly versions, it is recommended to upgrade
to newer WildFly/EAP and use Galleon. Otherwise, you will need to stick with the older {project_name} adapters, but those are not maintained and officially supported.
For JBoss EAP 7, it is possible to stick with the Red Hat Single Sign-On 7.6 adapters, which is still supported.
For more details on how to integrate {project_name} with JakartaEE applications running on latest Wildfly/EAP, take a look at the Jakarta EE quickstart in the {quickstartRepo_link}[Keycloak Quickstart GitHub Repository].
Below are the details on how to configure the SAML adapter secured by Galleon.

26
docs/documentation/securing_apps/topics/saml/java/saml-jboss-adapter.adoc
View file

@ -1,26 +0,0 @@
[[_saml_jboss_adapter]]
ifeval::[{project_community}==true]
==== JBoss EAP/WildFly adapter
endif::[]
ifeval::[{project_product}==true]
==== JBoss EAP adapter
endif::[]
ifeval::[{project_community}==true]
To be able to secure WAR apps deployed on JBoss EAP or WildFly, you must install and configure the {project_name} SAML Adapter Subsystem.
endif::[]
ifeval::[{project_product}==true]
To be able to secure WAR apps deployed on JBoss EAP, you must install and configure the {project_name} SAML Adapter Subsystem.
endif::[]
You then provide a keycloak config, `/WEB-INF/keycloak-saml.xml` file in your WAR and change the auth-method to KEYCLOAK-SAML within web.xml.
ifeval::[{project_product}==true]
You install the adapters by using a ZIP file or an RPM.
* <<_saml-jboss-adapter-installation, Installing adapters from a ZIP file>>
* <<_jboss7_adapter_rpm_saml, Installing JBoss EAP 7 Adapters from an RPM>>
* <<_jboss6_adapter_rpm_saml, Installing JBoss EAP 6 Adapters from an RPM>>
endif::[]

6
docs/documentation/securing_apps/topics/saml/java/saml_adapter_overview.adoc
View file

@ -1,6 +0,0 @@
= Overview
This document describes the Keycloak SAML client adapter and how it can be configured for a variety of platforms.
The Keycloak SAML client adapter is a standalone component that provides generic SAML 2.0 support for your web applications.
There are no Keycloak server extensions built into it.
As long as the Identity Provider (IdP) being communicated with supports standard SAML, the Keycloak SAML client adapter should be able to integrate with it.

7
docs/guides/assembly.xml
View file

@ -40,5 +40,12 @@
<include>pinned-guides</include> <include>pinned-guides</include>
</includes> </includes>
</fileSet> </fileSet>
<fileSet>
<directory>${project.basedir}/securing-apps</directory>
<outputDirectory>/generated-guides/securing-apps/</outputDirectory>
<includes>
<include>pinned-guides</include>
</includes>
</fileSet>
</fileSets> </fileSets>
</assembly> </assembly>

14
docs/guides/pom.xml
View file

@ -201,6 +201,18 @@
<outputDirectory>${project.build.directory}/generated-docs/high-availability</outputDirectory> <outputDirectory>${project.build.directory}/generated-docs/high-availability</outputDirectory>
</configuration> </configuration>
</execution> </execution>
<execution>
<id>securing-apps-asciidoc-to-html</id>
<phase>generate-resources</phase>
<goals>
<goal>process-asciidoc</goal>
</goals>
<configuration>
<sourceDirectory>${basedir}/target/generated-guides/securing-apps</sourceDirectory>
<outputDirectory>${project.build.directory}/generated-docs/securing-apps</outputDirectory>
<preserveDirectories>true</preserveDirectories>
</configuration>
</execution>
</executions> </executions>
</plugin> </plugin>
<plugin> <plugin>
@ -223,4 +235,4 @@
</plugins> </plugins>
</build> </build>
</project> </project>

3
docs/guides/securing-apps/apisix.adoc Normal file
View file

@ -0,0 +1,3 @@
:guide-title: Apache APISIX
:guide-summary: Integrate Keycloak for Authentication with Apache APISIX
:external-link: https://apisix.apache.org/blog/2021/12/10/integrate-keycloak-auth-in-apisix

12
docs/guides/securing-apps/index.adoc Normal file
View file

@ -0,0 +1,12 @@
= Securing applications
include::../attributes.adoc[]
<#list ctx.guides as guide>
:links_securing-apps_${guide.id}_name: ${guide.title}
:links_securing-apps_${guide.id}_url: #${guide.id}
</#list>
<#list ctx.guides as guide>
include::${guide.template}[leveloffset=+1]
</#list>

3
docs/guides/securing-apps/krakend.adoc Normal file
View file

@ -0,0 +1,3 @@
:guide-title: KrakenD
:guide-summary: Secure APIs with an API Gateway
:external-link: https://www.krakend.io/docs/authorization/keycloak/

2
docs/documentation/securing_apps/topics/saml/java/assertion-api.adoc → docs/guides/securing-apps/partials/saml/assertion-api.adoc
View file

@ -1,5 +1,5 @@
==== Obtaining assertion attributes == Obtaining assertion attributes
After a successful SAML login, your application code may want to obtain attribute values passed with the SAML assertion. After a successful SAML login, your application code may want to obtain attribute values passed with the SAML assertion.
`HttpServletRequest.getUserPrincipal()` returns a `Principal` object that you can typecast into a {project_name} specific class `HttpServletRequest.getUserPrincipal()` returns a `Principal` object that you can typecast into a {project_name} specific class

2
docs/documentation/securing_apps/topics/saml/java/debugging.adoc → docs/guides/securing-apps/partials/saml/debugging.adoc
View file

@ -1,4 +1,4 @@
==== Troubleshooting == Troubleshooting
The best way to troubleshoot problems is to turn on debugging for SAML in both the client adapter and {project_name} Server. Using your logging framework, set the log level to `DEBUG` for the `org.keycloak.saml` package. Turning this on allows you to see the SAML requests and response documents being sent to and from the server. The best way to troubleshoot problems is to turn on debugging for SAML in both the client adapter and {project_name} Server. Using your logging framework, set the log level to `DEBUG` for the `org.keycloak.saml` package. Turning this on allows you to see the SAML requests and response documents being sent to and from the server.

2
docs/documentation/securing_apps/topics/saml/java/error_handling.adoc → docs/guides/securing-apps/partials/saml/error_handling.adoc
View file

@ -1,5 +1,5 @@
==== Error Handling == Error Handling
{project_name} has some error handling facilities for servlet based client adapters. {project_name} has some error handling facilities for servlet based client adapters.
When an error is encountered in authentication, the client adapter will call `HttpServletResponse.sendError()`. When an error is encountered in authentication, the client adapter will call `HttpServletResponse.sendError()`.

14
docs/documentation/securing_apps/topics/saml/java/general-config.adoc → docs/guides/securing-apps/partials/saml/general-config.adoc
View file

@ -1,9 +1,8 @@
[[_saml-general-config]] [[_saml-general-config]]
==== General Adapter Config == Configuration
Each SAML client adapter supported by {project_name} can be configured by a simple XML text file. The SAML client adapter is configured by a XML file `/WEB-INF/keycloak-saml.xml` placed inside the WAR deployment. The configuration might look like the following:
This is what one might look like:
[source,xml,subs="attributes+"] [source,xml,subs="attributes+"]
---- ----
@ -57,8 +56,9 @@ This is what one might look like:
</keycloak-saml-adapter> </keycloak-saml-adapter>
---- ----
Some of these configuration switches may be adapter specific and some are common across all adapters. You can use `${r"${...}"}` enclosure as System property replacement. For example `${r"${jboss.server.config.dir}"}`.
For Java adapters you can use `${...}` enclosure as System property replacement. To get detailed information of the different elements in the XML configuration file see <@links.securingapps id="saml-galleon-layers-detailed-config"/>.
For example `${jboss.server.config.dir}`.
include::partials/saml/required_per_war_configuration.adoc[]
include::partials/saml/securing_wars.adoc[]
include::partials/saml/jboss-adapter-samesite-setting.adoc[]

2
docs/documentation/securing_apps/topics/saml/java/idp-registration.adoc → docs/guides/securing-apps/partials/saml/idp-registration.adoc
View file

@ -1,5 +1,5 @@
==== Registering with an Identity Provider == Registering with an Identity Provider
For each servlet-based adapter, the endpoint you register for the assert consumer service URL and single logout service For each servlet-based adapter, the endpoint you register for the assert consumer service URL and single logout service
must be the base URL of your servlet application with `/saml` appended to it, that is, `$$https://example.com/contextPath/saml$$`. must be the base URL of your servlet application with `/saml` appended to it, that is, `$$https://example.com/contextPath/saml$$`.

2
docs/documentation/securing_apps/topics/saml/java/general-config/idp_allowedclockskew_subelement.adoc → docs/guides/securing-apps/partials/saml/idp_allowedclockskew_subelement.adoc
View file

@ -1,6 +1,6 @@
[[_sp-idp-allowedclockskew]] [[_sp-idp-allowedclockskew]]
===== IDP AllowedClockSkew sub element == IDP AllowedClockSkew sub element
The `AllowedClockSkew` optional sub element defines the allowed clock skew between IDP and SP. The `AllowedClockSkew` optional sub element defines the allowed clock skew between IDP and SP.
The default value is 0. The default value is 0.

2
docs/documentation/securing_apps/topics/saml/java/general-config/idp_element.adoc → docs/guides/securing-apps/partials/saml/idp_element.adoc
View file

@ -1,5 +1,5 @@
===== IDP Element == IDP Element
Everything in the IDP element describes the settings for the identity provider (authentication server) the SP is communicating with. Everything in the IDP element describes the settings for the identity provider (authentication server) the SP is communicating with.

2
docs/documentation/securing_apps/topics/saml/java/general-config/idp_httpclient_subelement.adoc → docs/guides/securing-apps/partials/saml/idp_httpclient_subelement.adoc
View file

@ -1,6 +1,6 @@
[[_sp-idp-httpclient]] [[_sp-idp-httpclient]]
===== IDP HttpClient sub element == IDP HttpClient sub element
The `HttpClient` optional sub element defines the properties of HTTP client used The `HttpClient` optional sub element defines the properties of HTTP client used
for automatic obtaining of certificates containing public keys for IDP signature for automatic obtaining of certificates containing public keys for IDP signature

2
docs/documentation/securing_apps/topics/saml/java/general-config/idp_keys_subelement.adoc → docs/guides/securing-apps/partials/saml/idp_keys_subelement.adoc
View file

@ -1,6 +1,6 @@
[[_sp-idp-keys]] [[_sp-idp-keys]]
===== IDP Keys sub element == IDP Keys sub element
The Keys sub element of IDP is only used to define the certificate or public key to use to verify documents signed by the IDP. The Keys sub element of IDP is only used to define the certificate or public key to use to verify documents signed by the IDP.
It is defined in the same way as the <<_saml-sp-keys,SP's Keys element>>. It is defined in the same way as the <<_saml-sp-keys,SP's Keys element>>.

2
docs/documentation/securing_apps/topics/saml/java/general-config/idp_singlelogoutservice_subelement.adoc → docs/guides/securing-apps/partials/saml/idp_singlelogoutservice_subelement.adoc
View file

@ -1,5 +1,5 @@
===== IDP SingleLogoutService sub element == IDP SingleLogoutService sub element
The `SingleLogoutService` sub element defines the logout SAML endpoint of the IDP. The client adapter will send requests The `SingleLogoutService` sub element defines the logout SAML endpoint of the IDP. The client adapter will send requests
to the IDP formatted via the settings within this element when it wants to log out. to the IDP formatted via the settings within this element when it wants to log out.

2
docs/documentation/securing_apps/topics/saml/java/general-config/idp_singlesignonservice_subelement.adoc → docs/guides/securing-apps/partials/saml/idp_singlesignonservice_subelement.adoc
View file

@ -1,6 +1,6 @@
[[_sp-idp-singlesignonservice]] [[_sp-idp-singlesignonservice]]
===== IDP SingleSignOnService sub element == IDP SingleSignOnService sub element
The `SingleSignOnService` sub element defines the login SAML endpoint of the IDP. The `SingleSignOnService` sub element defines the login SAML endpoint of the IDP.
The client adapter will send requests The client adapter will send requests

126
docs/guides/securing-apps/partials/saml/installation.adoc Normal file
View file

@ -0,0 +1,126 @@
== Installation
The provision of the feature pack is done using the https://docs.wildfly.org/wildfly-maven-plugin[wildfly-maven-plugin], https://docs.wildfly.org/bootablejar/[wildfly-jar-maven-plugin] or https://docs.redhat.com/en/documentation/red_hat_jboss_enterprise_application_platform/8.0/html/using_jboss_eap_on_openshift_container_platform/assembly_provisioning-a-jboss-eap-server-using-the-maven-plugin_default[eap-maven-plugin] respectively.
=== Example of provision using wildfly maven plugin
[source,xml,subs="attributes+"]
----
<plugin>
<groupId>org.wildfly.plugins</groupId>
<artifactId>wildfly-maven-plugin</artifactId>
<version>5.0.0.Final</version>
<configuration>
<feature-packs>
<feature-pack>
<location>wildfly@maven(org.jboss.universe:community-universe)#32.0.1.Final</location>
</feature-pack>
<feature-pack>
<groupId>org.keycloak</groupId>
<artifactId>keycloak-saml-adapter-galleon-pack</artifactId>
<version>25.0.2</version>
</feature-pack>
</feature-packs>
<layers>
<layer>core-server</layer>
<layer>web-server</layer>
<layer>jaxrs-server</layer>
<layer>datasources-web-server</layer>
<layer>webservices</layer>
<layer>keycloak-saml</layer>
<layer>keycloak-client-saml</layer>
<layer>keycloak-client-saml-ejb</layer>
</layers>
</configuration>
<executions>
<execution>
<goals>
<goal>package</goal>
</goals>
</execution>
</executions>
</plugin>
----
=== Example of provision using wildfly jar maven plugin
[source,xml,subs="attributes+"]
----
<plugin>
<groupId>org.wildfly.plugins</groupId>
<artifactId>wildfly-jar-maven-plugin</artifactId>
<version>11.0.2.Final</version>
<configuration>
<feature-packs>
<feature-pack>
<location>wildfly@maven(org.jboss.universe:community-universe)#32.0.1.Final</location>
</feature-pack>
<feature-pack>
<groupId>org.keycloak</groupId>
<artifactId>keycloak-saml-adapter-galleon-pack</artifactId>
<version>25.0.2</version>
</feature-pack>
</feature-packs>
<layers>
<layer>core-server</layer>
<layer>web-server</layer>
<layer>jaxrs-server</layer>
<layer>datasources-web-server</layer>
<layer>webservices</layer>
<layer>keycloak-saml</layer>
<layer>keycloak-client-saml</layer>
<layer>keycloak-client-saml-ejb</layer>
</layers>
</configuration>
<executions>
<execution>
<goals>
<goal>package</goal>
</goals>
</execution>
</executions>
</plugin>
----
=== Example of provision using EAP maven plugin
[source,xml,subs="attributes+"]
----
<plugin>
<groupId>org.jboss.eap.plugins</groupId>
<artifactId>eap-maven-plugin</artifactId>
<version>1.0.0.Final-redhat-00014</version>
<configuration>
<channels>
<channel>
<manifest>
<groupId>org.jboss.eap.channels</groupId>
<artifactId>eap-8.0</artifactId>
</manifest>
</channel>
</channels>
<feature-packs>
<feature-pack>
<location>org.keycloak:keycloak-saml-adapter-galleon-pack</location>
</feature-pack>
</feature-packs>
<layers>
<layer>core-server</layer>
<layer>web-server</layer>
<layer>jaxrs-server</layer>
<layer>datasources-web-server</layer>
<layer>webservices</layer>
<layer>keycloak-saml</layer>
<layer>keycloak-client-saml</layer>
<layer>keycloak-client-saml-ejb</layer>
</layers>
</configuration>
<executions>
<execution>
<goals>
<goal>package</goal>
</goals>
</execution>
</executions>
</plugin>
----

2
docs/documentation/securing_apps/topics/saml/java/jboss-adapter/jboss-adapter-samesite-setting.adoc → docs/guides/securing-apps/partials/saml/jboss-adapter-samesite-setting.adoc
View file

@ -1,5 +1,5 @@
[[_saml-jboss-adapter-samesite-setting]] [[_saml-jboss-adapter-samesite-setting]]
===== Setting SameSite value for JSESSIONID cookie === Setting SameSite value for JSESSIONID cookie
Browsers are planning to set the default value for the `SameSite` attribute for cookies to `Lax`. This setting means Browsers are planning to set the default value for the `SameSite` attribute for cookies to `Lax`. This setting means
that cookies will be sent to applications only if the request originates in the same domain. This behavior can affect that cookies will be sent to applications only if the request originates in the same domain. This behavior can affect

20
docs/documentation/securing_apps/topics/saml/java/logout.adoc → docs/guides/securing-apps/partials/saml/logout.adoc
View file

@ -1,4 +1,4 @@
==== Logout == Logout
There are multiple ways you can log out from a web application. There are multiple ways you can log out from a web application.
For Jakarta EE servlet containers, you can call `HttpServletRequest.logout()`. For any other browser application, you can point For Jakarta EE servlet containers, you can call `HttpServletRequest.logout()`. For any other browser application, you can point
@ -6,7 +6,7 @@ the browser at any url of your web application that has a security constraint an
This will log you out if you have an SSO session with your browser. This will log you out if you have an SSO session with your browser.
[[_saml_logout_in_cluster]] [[_saml_logout_in_cluster]]
===== Logout in clustered environment === Logout in clustered environment
Internally, the SAML adapter stores a mapping between the SAML session index, principal name (when known), and HTTP session ID. Internally, the SAML adapter stores a mapping between the SAML session index, principal name (when known), and HTTP session ID.
This mapping can be maintained in JBoss application server family (WildFly 10/11, EAP 6/7) across cluster for distributable This mapping can be maintained in JBoss application server family (WildFly 10/11, EAP 6/7) across cluster for distributable
@ -15,8 +15,6 @@ applications. As a precondition, the HTTP sessions need to be distributed across
To enable the functionality, add the following section to your `/WEB_INF/web.xml` file: To enable the functionality, add the following section to your `/WEB_INF/web.xml` file:
For EAP 7, WildFly 10/11:
[source,xml] [source,xml]
---- ----
<context-param> <context-param>
@ -25,16 +23,6 @@ For EAP 7, WildFly 10/11:
</context-param> </context-param>
---- ----
For EAP 6:
[source,xml]
----
<context-param>
<param-name>keycloak.sessionIdMapperUpdater.classes</param-name>
<param-value>org.keycloak.adapters.saml.jbossweb.infinispan.InfinispanSessionCacheIdMapperUpdater</param-value>
</context-param>
----
If the session cache of the deployment is named `_deployment-cache_`, the cache used for SAML mapping will be named If the session cache of the deployment is named `_deployment-cache_`, the cache used for SAML mapping will be named
as `_deployment-cache_.ssoCache`. The name of the cache can be overridden by a context parameter as `_deployment-cache_.ssoCache`. The name of the cache can be overridden by a context parameter
`keycloak.sessionIdMapperUpdater.infinispan.cacheName`. The cache container containing the cache will be the same as `keycloak.sessionIdMapperUpdater.infinispan.cacheName`. The cache container containing the cache will be the same as
@ -49,9 +37,7 @@ Using distributed cache may lead to results where the SAML logout request would
to SAML session index to HTTP session mapping which would lead to unsuccessful logout. to SAML session index to HTTP session mapping which would lead to unsuccessful logout.
[[_saml_logout_in_cross_dc]] [[_saml_logout_in_cross_dc]]
===== Logout in cross-site scenario === Logout in cross-site scenario
The cross-site scenario only applies to WildFly 10 and higher, and EAP 7 and higher.
Special handling is needed for handling sessions that span multiple data centers. Imagine the following scenario: Special handling is needed for handling sessions that span multiple data centers. Imagine the following scenario:

2
docs/documentation/securing_apps/topics/saml/java/multi-tenancy.adoc → docs/guides/securing-apps/partials/saml/multi-tenancy.adoc
View file

@ -1,5 +1,5 @@
[[_saml_multi_tenancy]] [[_saml_multi_tenancy]]
==== Multi Tenancy == Multi Tenancy
SAML offers Multi Tenancy, meaning that a single target application (WAR) can be secured with multiple {project_name} realms. The realms can be located on the same {project_name} instance or on different instances. SAML offers Multi Tenancy, meaning that a single target application (WAR) can be secured with multiple {project_name} realms. The realms can be located on the same {project_name} instance or on different instances.

7
docs/documentation/securing_apps/topics/saml/java/jboss-adapter/required_per_war_configuration.adoc → docs/guides/securing-apps/partials/saml/required_per_war_configuration.adoc
View file

@ -1,12 +1,9 @@
===== Securing a WAR === Securing a WAR
This section describes how to secure a WAR directly by adding config and editing files within your WAR package. This section describes how to secure a WAR directly by adding config and editing files within your WAR package.
The first thing you must do is create a `keycloak-saml.xml` adapter config file within the `WEB-INF` directory of your WAR. Once `keycloak-saml.xml` is created and in the `WEB-INF` directory of your WAR, you must set the `auth-method` to `KEYCLOAK-SAML` in `web.xml`.
The format of this config file is described in the <<_saml-general-config,General Adapter Config>> section.
Next you must set the `auth-method` to `KEYCLOAK-SAML` in `web.xml`.
You also have to use standard servlet security to specify role-base constraints on your URLs. You also have to use standard servlet security to specify role-base constraints on your URLs.
Here's an example _web.xml_ file: Here's an example _web.xml_ file:

2
docs/documentation/securing_apps/topics/saml/java/general-config/roleidentifiers_element.adoc → docs/guides/securing-apps/partials/saml/roleidentifiers_element.adoc
View file

@ -1,5 +1,5 @@
===== RoleIdentifiers element == RoleIdentifiers element
The `RoleIdentifiers` element defines what SAML attributes within the assertion received from the user should be used The `RoleIdentifiers` element defines what SAML attributes within the assertion received from the user should be used
as role identifiers within the Jakarta EE Security Context for the user. as role identifiers within the Jakarta EE Security Context for the user.

2
docs/documentation/securing_apps/topics/saml/java/jboss-adapter/securing_wars.adoc → docs/guides/securing-apps/partials/saml/securing_wars.adoc
View file

@ -1,5 +1,5 @@
===== Securing WARs using the {project_name} SAML Subsystem === Securing WARs using the {project_name} SAML Subsystem
You do not have to open a WAR to secure it with {project_name}. You do not have to open a WAR to secure it with {project_name}.
Alternatively, you can externally secure it via the {project_name} SAML Adapter Subsystem. Alternatively, you can externally secure it via the {project_name} SAML Adapter Subsystem.

2
docs/documentation/securing_apps/topics/saml/java/general-config/sp-keys.adoc → docs/guides/securing-apps/partials/saml/sp-keys.adoc
View file

@ -1,6 +1,6 @@
[[_saml-sp-keys]] [[_saml-sp-keys]]
===== Service Provider keys and key elements == Service Provider keys and key elements
If the IdP requires that the client application (or SP) sign all of its requests and/or if the IdP will encrypt assertions, you must define the keys used to do this. If the IdP requires that the client application (or SP) sign all of its requests and/or if the IdP will encrypt assertions, you must define the keys used to do this.
For client-signed documents you must define both the private and public key or certificate that is used to sign documents. For client-signed documents you must define both the private and public key or certificate that is used to sign documents.

2
docs/documentation/securing_apps/topics/saml/java/general-config/sp-keys/key_pems.adoc → docs/guides/securing-apps/partials/saml/sp-keys/key_pems.adoc
View file

@ -1,5 +1,5 @@
====== Key PEMS === Key PEMS
Within the `Key` element you declare your keys and certificates directly using the sub elements Within the `Key` element you declare your keys and certificates directly using the sub elements
`PrivateKeyPem`, `PublicKeyPem`, and `CertificatePem`. `PrivateKeyPem`, `PublicKeyPem`, and `CertificatePem`.

2
docs/documentation/securing_apps/topics/saml/java/general-config/sp-keys/keystore_element.adoc → docs/guides/securing-apps/partials/saml/sp-keys/keystore_element.adoc
View file

@ -1,6 +1,6 @@
[[_saml-keystore]] [[_saml-keystore]]
====== KeyStore element === KeyStore element
Within the `Key` element you can load your keys and certificates from a Java Keystore. This is declared within Within the `Key` element you can load your keys and certificates from a Java Keystore. This is declared within
a `KeyStore` element. a `KeyStore` element.

2
docs/documentation/securing_apps/topics/saml/java/general-config/sp_element.adoc → docs/guides/securing-apps/partials/saml/sp_element.adoc
View file

@ -1,5 +1,5 @@
===== SP element == SP element
Here is the explanation of the SP element attributes: Here is the explanation of the SP element attributes:

2
docs/documentation/securing_apps/topics/saml/java/general-config/sp_principalname_mapping_element.adoc → docs/guides/securing-apps/partials/saml/sp_principalname_mapping_element.adoc
View file

@ -1,5 +1,5 @@
===== SP PrincipalNameMapping element == SP PrincipalNameMapping element
This element is optional. This element is optional.
When creating a Java Principal object that you obtain from methods such as `HttpServletRequest.getUserPrincipal()`, you can define what name is returned by the `Principal.getName()` method. When creating a Java Principal object that you obtain from methods such as `HttpServletRequest.getUserPrincipal()`, you can define what name is returned by the `Principal.getName()` method.

6
docs/documentation/securing_apps/topics/saml/java/general-config/sp_role_mappings_provider_element.adoc → docs/guides/securing-apps/partials/saml/sp_role_mappings_provider_element.adoc
View file

@ -1,5 +1,5 @@
===== RoleMappingsProvider element == RoleMappingsProvider element
The `RoleMappingsProvider` is an optional element that allows for the specification of the id and configuration of the The `RoleMappingsProvider` is an optional element that allows for the specification of the id and configuration of the
`org.keycloak.adapters.saml.RoleMappingsProvider` SPI implementation that is to be used by the SAML adapter. `org.keycloak.adapters.saml.RoleMappingsProvider` SPI implementation that is to be used by the SAML adapter.
@ -29,7 +29,7 @@ The configuration of the provider looks as follows:
The `id` attribute identifies which of the installed providers is to be used. The `Property` sub-element can be used multiple times The `id` attribute identifies which of the installed providers is to be used. The `Property` sub-element can be used multiple times
to specify configuration properties for the provider. to specify configuration properties for the provider.
====== Properties Based role mappings provider === Properties Based role mappings provider
{project_name} includes a `RoleMappingsProvider` implementation that performs the role mappings using a `properties` file. This {project_name} includes a `RoleMappingsProvider` implementation that performs the role mappings using a `properties` file. This
provider is identified by the id `properties-based-role-mapper` and is implemented by the `org.keycloak.adapters.saml.PropertiesBasedRoleMapper` provider is identified by the id `properties-based-role-mapper` and is implemented by the `org.keycloak.adapters.saml.PropertiesBasedRoleMapper`
@ -93,7 +93,7 @@ role\u0020A=roleX,roleY
---- ----
ifeval::[{project_community}==true] ifeval::[{project_community}==true]
====== Adding your own role mappings provider === Adding your own role mappings provider
To add a custom role mappings provider one simply needs to implement the `org.keycloak.adapters.saml.RoleMappingsProvider` SPI. To add a custom role mappings provider one simply needs to implement the `org.keycloak.adapters.saml.RoleMappingsProvider` SPI.
For more details see the `SAML Role Mappings SPI` section in link:{developerguide_link}[{developerguide_name}]. For more details see the `SAML Role Mappings SPI` section in link:{developerguide_link}[{developerguide_name}].

3
docs/guides/securing-apps/quarkus.adoc Normal file
View file

@ -0,0 +1,3 @@
:guide-title: Quarkus
:guide-summary: Using OpenID Connect and Keycloak to secure your Quarkus applications
:external-link: https://quarkus.io/guides/security-keycloak-authorization

26
docs/guides/securing-apps/saml-galleon-layers-detailed-config.adoc Normal file
View file

@ -0,0 +1,26 @@
<#import "/templates/guide.adoc" as tmpl>
<#import "/templates/links.adoc" as links>
<@tmpl.guide
title="{project_name} SAML Galleon feature pack detailed configuration"
priority=20
tileVisible="false"
summary="Detailed list of elements for the `keycloak-saml.xml` configuration file">
This {section} contains the detailed list of elements for the `keycloak-saml.xml` configuration file used by the {project_name} SAML Galleon feature pack.
include::partials/saml/sp_element.adoc[]
include::partials/saml/sp-keys.adoc[]
include::partials/saml/sp-keys/keystore_element.adoc[]
include::partials/saml/sp-keys/key_pems.adoc[]
include::partials/saml/sp_principalname_mapping_element.adoc[]
include::partials/saml/roleidentifiers_element.adoc[]
include::partials/saml/sp_role_mappings_provider_element.adoc[]
include::partials/saml/idp_element.adoc[]
include::partials/saml/idp_allowedclockskew_subelement.adoc[]
include::partials/saml/idp_singlesignonservice_subelement.adoc[]
include::partials/saml/idp_singlelogoutservice_subelement.adoc[]
include::partials/saml/idp_keys_subelement.adoc[]
include::partials/saml/idp_httpclient_subelement.adoc[]
</@tmpl.guide>

24
docs/guides/securing-apps/saml-galleon-layers.adoc Normal file
View file

@ -0,0 +1,24 @@
<#import "/templates/guide.adoc" as tmpl>
<#import "/templates/links.adoc" as links>
<@tmpl.guide
title="{project_name} SAML Galleon feature pack for WildFly and EAP"
priority=10
summary="Using {project_name} SAML Galleon feature pack to secure applications in WildFly and EAP">
The SAML adapter is distributed as a Galleon feature pack for wildfly 29 or newer. More details about the subject
in the https://docs.wildfly.org/32/WildFly_Elytron_Security.html#Keycloak_SAML_Integration[WildFly documentation].
The same option is provided for JBoss EAP 8 GA.
For an example about how to integrate Keycloak with JakartaEE applications running on latest Wildfly/EAP, take a look at the `servlet-saml-service-provider` Jakarta folder in the https://github.com/keycloak/keycloak-quickstarts[Keycloak Quickstart GitHub Repository].
include::partials/saml/installation.adoc[]
<#include "partials/saml/general-config.adoc" />
include::partials/saml/idp-registration.adoc[]
include::partials/saml/logout.adoc[]
include::partials/saml/assertion-api.adoc[]
include::partials/saml/error_handling.adoc[]
include::partials/saml/debugging.adoc[]
include::partials/saml/multi-tenancy.adoc[]
</@tmpl.guide>

3
docs/guides/securing-apps/traefik-hub.adoc Normal file
View file

@ -0,0 +1,3 @@
:guide-title: Traefik Hub
:guide-summary: Use Keycloak as an identity provider or as an identity broker for Traefik Hub API management
:external-link: https://doc.traefik.io/traefik-hub/authentication-authorization/idp/keycloak

3
docs/guides/securing-apps/wildfly.adoc Normal file
View file

@ -0,0 +1,3 @@
:guide-title: WildFly
:guide-summary: Secure WildFly Applications with Keycloak
:external-link: https://wildfly-security.github.io/wildfly-elytron/blog/securing-wildfly-apps-openid-connect/

1
docs/guides/templates/links.adoc
View file

@ -1,3 +1,4 @@
<#macro server id anchor="">link:{links_server_${id}_url}<#if anchor != "">#${anchor}</#if>[{links_server_${id}_name}]</#macro> <#macro server id anchor="">link:{links_server_${id}_url}<#if anchor != "">#${anchor}</#if>[{links_server_${id}_name}]</#macro>
<#macro operator id anchor="">link:{links_operator_${id}_url}<#if anchor != "">#${anchor}</#if>[{links_operator_${id}_name}]</#macro> <#macro operator id anchor="">link:{links_operator_${id}_url}<#if anchor != "">#${anchor}</#if>[{links_operator_${id}_name}]</#macro>
<#macro ha id anchor="">link:{links_high-availability_${id}_url}<#if anchor != "">#${anchor}</#if>[{links_high-availability_${id}_name}]</#macro> <#macro ha id anchor="">link:{links_high-availability_${id}_url}<#if anchor != "">#${anchor}</#if>[{links_high-availability_${id}_name}]</#macro>
<#macro securingapps id anchor="">link:{links_securing-apps_${id}_url}<#if anchor != "">#${anchor}</#if>[{links_securing-apps_${id}_name}]</#macro>