From d61b1ddb09c5d1396633504c7dbb0ccdc91b3f8a Mon Sep 17 00:00:00 2001 From: AndyMunro Date: Fri, 15 Mar 2024 17:02:38 -0400 Subject: [PATCH] Edit use of Keycloak in Server Admin Guide Closes #27955 Signed-off-by: AndyMunro --- .../server_admin/topics/authentication/flows.adoc | 2 +- .../server_admin/topics/authentication/kerberos.adoc | 2 +- .../server_admin/topics/identity-broker/social/openshift.adoc | 4 ++-- .../server_admin/topics/login-settings/forgot-password.adoc | 2 +- .../topics/sso-protocols/con-oidc-auth-flows.adoc | 2 +- .../server_admin/topics/user-federation/ldap.adoc | 4 ++-- .../documentation/server_admin/topics/users/user-profile.adoc | 2 +- docs/documentation/server_admin/topics/vault.adoc | 2 +- 8 files changed, 10 insertions(+), 10 deletions(-) diff --git a/docs/documentation/server_admin/topics/authentication/flows.adoc b/docs/documentation/server_admin/topics/authentication/flows.adoc index bfb611d5c3..faf5396adb 100644 --- a/docs/documentation/server_admin/topics/authentication/flows.adoc +++ b/docs/documentation/server_admin/topics/authentication/flows.adoc @@ -360,7 +360,7 @@ For more details see the https://openid.net/specs/openid-connect-core-1_0.html#a The logic for the previous configured authentication flow is as follows: + If a client request a high authentication level, meaning Level of Authentication 2 (LoA 2), a user has to perform full 2-factor authentication: Username/Password + OTP. -However, if a user already has a session in Keycloak, that was logged in with username and password (LoA 1), the user is only asked for the second authentication factor (OTP). +However, if a user already has a session in {project_name}, that was logged in with username and password (LoA 1), the user is only asked for the second authentication factor (OTP). The option *Max Age* in the condition determines how long (how much seconds) the subsequent authentication level is valid. This setting helps to decide whether the user will be asked to present the authentication factor again during a subsequent authentication. If the particular level X is requested diff --git a/docs/documentation/server_admin/topics/authentication/kerberos.adoc b/docs/documentation/server_admin/topics/authentication/kerberos.adoc index 542933072b..aeb84b51b6 100644 --- a/docs/documentation/server_admin/topics/authentication/kerberos.adoc +++ b/docs/documentation/server_admin/topics/authentication/kerberos.adoc @@ -18,7 +18,7 @@ A typical use case for web authentication is the following: [WARNING] ==== -The https://www.ietf.org/rfc/rfc4559.txt[Negotiate] www-authenticate scheme allows NTLM as a fallback to Kerberos and on some web browsers in Windows NTLM is supported by default. If a www-authenticate challenge comes from a server outside a browsers permitted list, users may encounter an NTLM dialog prompt. A user would need to click the cancel button on the dialog to continue as Keycloak does not support this mechanism. This situation can happen if Intranet web browsers are not strictly configured or if Keycloak serves users in both the Intranet and Internet. A https://github.com/keycloak/keycloak/issues/8989[custom authenticator] can be used to restrict Negotiate challenges to a whitelist of hosts. +The https://www.ietf.org/rfc/rfc4559.txt[Negotiate] www-authenticate scheme allows NTLM as a fallback to Kerberos and on some web browsers in Windows NTLM is supported by default. If a www-authenticate challenge comes from a server outside a browsers permitted list, users may encounter an NTLM dialog prompt. A user would need to click the cancel button on the dialog to continue as {project_name} does not support this mechanism. This situation can happen if Intranet web browsers are not strictly configured or if {project_name} serves users in both the Intranet and Internet. A https://github.com/keycloak/keycloak/issues/8989[custom authenticator] can be used to restrict Negotiate challenges to a whitelist of hosts. ==== Perform the following steps to set up Kerberos authentication: diff --git a/docs/documentation/server_admin/topics/identity-broker/social/openshift.adoc b/docs/documentation/server_admin/topics/identity-broker/social/openshift.adoc index fbce9b3583..4dcd07eed5 100644 --- a/docs/documentation/server_admin/topics/identity-broker/social/openshift.adoc +++ b/docs/documentation/server_admin/topics/identity-broker/social/openshift.adoc @@ -38,8 +38,8 @@ grantMethod: prompt <4> ==== OpenShift 4 .Prerequisites -. A certificate of the OpenShift 4 instance stored in the Keycloak Truststore. -. A Keycloak server configured in order to use the truststore. For more information, see the https://www.keycloak.org/server/keycloak-truststore[Configuring a Truststore] {section}. +. A certificate of the OpenShift 4 instance stored in the {project_name} Truststore. +. A {project_name} server configured in order to use the truststore. For more information, see the https://www.keycloak.org/server/keycloak-truststore[Configuring a Truststore] {section}. .Procedure . Click *Identity Providers* in the menu. diff --git a/docs/documentation/server_admin/topics/login-settings/forgot-password.adoc b/docs/documentation/server_admin/topics/login-settings/forgot-password.adoc index 4f630ec1a6..c41bc808b7 100644 --- a/docs/documentation/server_admin/topics/login-settings/forgot-password.adoc +++ b/docs/documentation/server_admin/topics/login-settings/forgot-password.adoc @@ -18,7 +18,7 @@ A `Forgot Password?` link displays in your login pages. .Forgot password link image:images/forgot-password-link.png[Forgot Password Link] + -. Specify `Host` and `From` in the *Email* tab in order for Keycloak to be able to send the reset email. +. Specify `Host` and `From` in the *Email* tab in order for {Project_Name} to be able to send the reset email. + . Click this link to bring users where they can enter their username or email address and receive an email with a link to reset their credentials. + diff --git a/docs/documentation/server_admin/topics/sso-protocols/con-oidc-auth-flows.adoc b/docs/documentation/server_admin/topics/sso-protocols/con-oidc-auth-flows.adoc index ed0a689a9b..7462c5902d 100644 --- a/docs/documentation/server_admin/topics/sso-protocols/con-oidc-auth-flows.adoc +++ b/docs/documentation/server_admin/topics/sso-protocols/con-oidc-auth-flows.adoc @@ -98,7 +98,7 @@ profile and configure client policy to specify for which clients would be the pr This is used by clients running on internet-connected devices that have limited input capabilities or lack a suitable browser. Here's a brief summary of the protocol: . The application requests {project_name} a device code and a user code. {project_name} creates a device code and a user code. {project_name} returns a response including the device code and the user code to the application. -. The application provides the user with the user code and the verification URI. The user accesses a verification URI to be authenticated by using another browser. You could define a short verification_uri that will be redirected to Keycloak verification URI (/realms/realm_name/device)outside Keycloak - fe in a proxy. +. The application provides the user with the user code and the verification URI. The user accesses a verification URI to be authenticated by using another browser. You could define a short verification_uri that will be redirected to {project_name} verification URI (/realms/realm_name/device)outside {project_name} - fe in a proxy. . The application repeatedly polls {project_name} to find out if the user completed the user authorization. If user authentication is complete, the application exchanges the device code for an _identity_, _access_ and _refresh_ token. [[_client_initiated_backchannel_authentication_grant]] diff --git a/docs/documentation/server_admin/topics/user-federation/ldap.adoc b/docs/documentation/server_admin/topics/user-federation/ldap.adoc index 921fe12107..4dfa9cdea4 100644 --- a/docs/documentation/server_admin/topics/user-federation/ldap.adoc +++ b/docs/documentation/server_admin/topics/user-federation/ldap.adoc @@ -176,7 +176,7 @@ Note those messages are displayed just with the enabled DEBUG logging. the LDAP provider to value `all`. This will add lots of additional messages to server log with the included logging for the LDAP connection pooling. This can be used to track the issues related to connection pooling or performance. -NOTE: After changing the configuration of connection pooling, you may need to restart the Keycloak server to enforce re-initialization +NOTE: After changing the configuration of connection pooling, you may need to restart the {project_name} server to enforce re-initialization of the LDAP provider connection. If no more messages appear for connection pooling even after server restart, it can indicate that connection pooling does not work @@ -185,4 +185,4 @@ with your LDAP server. - For the case of reporting LDAP issue, you may consider to attach some part of your LDAP tree with the target data, which causes issues in your environment. For example if login of some user takes lot of time, you can consider attach his LDAP entry showing count of `member` attributes of various "group" entries. In this case, it might be useful to add if those group entries are mapped to some Group LDAP mapper (or Role LDAP Mapper) -in {project_name} etc. +in {project_name} and so on. diff --git a/docs/documentation/server_admin/topics/users/user-profile.adoc b/docs/documentation/server_admin/topics/users/user-profile.adoc index e37ed0aed0..5a5f2f09a4 100644 --- a/docs/documentation/server_admin/topics/users/user-profile.adoc +++ b/docs/documentation/server_admin/topics/users/user-profile.adoc @@ -120,7 +120,7 @@ To specify a different minimum or maximum length, change the unmanaged attribute WARNING: {project_name} caches user-related objects in its internal caches. The longer the attributes are, the more memory the cache consumes. Therefore, limiting the size of the length attributes is recommended. -Consider storing large objects outside Keycloak and reference them by ID or URL. +Consider storing large objects outside {project_Name} and reference them by ID or URL. == Managing the User Profile diff --git a/docs/documentation/server_admin/topics/vault.adoc b/docs/documentation/server_admin/topics/vault.adoc index 6206d6f208..4dabd3f654 100644 --- a/docs/documentation/server_admin/topics/vault.adoc +++ b/docs/documentation/server_admin/topics/vault.adoc @@ -3,7 +3,7 @@ == Using a vault to obtain secrets -Keycloak currently provides two out-of-the-box implementations of the Vault SPI: a plain-text file-based vault and Java KeyStore-based vault. +{project_name} currently provides two out-of-the-box implementations of the Vault SPI: a plain-text file-based vault and Java KeyStore-based vault. To obtain a secret from a vault rather than entering it directly, enter the following specially crafted string into the appropriate field: