Edit use of Keycloak in Server Admin Guide

Closes #27955

Signed-off-by: AndyMunro <amunro@redhat.com>
This commit is contained in:
AndyMunro 2024-03-15 17:02:38 -04:00 committed by Alexander Schwartz
parent 0e5d685cd3
commit d61b1ddb09
8 changed files with 10 additions and 10 deletions

View file

@ -360,7 +360,7 @@ For more details see the https://openid.net/specs/openid-connect-core-1_0.html#a
The logic for the previous configured authentication flow is as follows: + The logic for the previous configured authentication flow is as follows: +
If a client request a high authentication level, meaning Level of Authentication 2 (LoA 2), a user has to perform full 2-factor authentication: Username/Password + OTP. If a client request a high authentication level, meaning Level of Authentication 2 (LoA 2), a user has to perform full 2-factor authentication: Username/Password + OTP.
However, if a user already has a session in Keycloak, that was logged in with username and password (LoA 1), the user is only asked for the second authentication factor (OTP). However, if a user already has a session in {project_name}, that was logged in with username and password (LoA 1), the user is only asked for the second authentication factor (OTP).
The option *Max Age* in the condition determines how long (how much seconds) the subsequent authentication level is valid. This setting helps to decide The option *Max Age* in the condition determines how long (how much seconds) the subsequent authentication level is valid. This setting helps to decide
whether the user will be asked to present the authentication factor again during a subsequent authentication. If the particular level X is requested whether the user will be asked to present the authentication factor again during a subsequent authentication. If the particular level X is requested

View file

@ -18,7 +18,7 @@ A typical use case for web authentication is the following:
[WARNING] [WARNING]
==== ====
The https://www.ietf.org/rfc/rfc4559.txt[Negotiate] www-authenticate scheme allows NTLM as a fallback to Kerberos and on some web browsers in Windows NTLM is supported by default. If a www-authenticate challenge comes from a server outside a browsers permitted list, users may encounter an NTLM dialog prompt. A user would need to click the cancel button on the dialog to continue as Keycloak does not support this mechanism. This situation can happen if Intranet web browsers are not strictly configured or if Keycloak serves users in both the Intranet and Internet. A https://github.com/keycloak/keycloak/issues/8989[custom authenticator] can be used to restrict Negotiate challenges to a whitelist of hosts. The https://www.ietf.org/rfc/rfc4559.txt[Negotiate] www-authenticate scheme allows NTLM as a fallback to Kerberos and on some web browsers in Windows NTLM is supported by default. If a www-authenticate challenge comes from a server outside a browsers permitted list, users may encounter an NTLM dialog prompt. A user would need to click the cancel button on the dialog to continue as {project_name} does not support this mechanism. This situation can happen if Intranet web browsers are not strictly configured or if {project_name} serves users in both the Intranet and Internet. A https://github.com/keycloak/keycloak/issues/8989[custom authenticator] can be used to restrict Negotiate challenges to a whitelist of hosts.
==== ====
Perform the following steps to set up Kerberos authentication: Perform the following steps to set up Kerberos authentication:

View file

@ -38,8 +38,8 @@ grantMethod: prompt <4>
==== OpenShift 4 ==== OpenShift 4
.Prerequisites .Prerequisites
. A certificate of the OpenShift 4 instance stored in the Keycloak Truststore. . A certificate of the OpenShift 4 instance stored in the {project_name} Truststore.
. A Keycloak server configured in order to use the truststore. For more information, see the https://www.keycloak.org/server/keycloak-truststore[Configuring a Truststore] {section}. . A {project_name} server configured in order to use the truststore. For more information, see the https://www.keycloak.org/server/keycloak-truststore[Configuring a Truststore] {section}.
.Procedure .Procedure
. Click *Identity Providers* in the menu. . Click *Identity Providers* in the menu.

View file

@ -18,7 +18,7 @@ A `Forgot Password?` link displays in your login pages.
.Forgot password link .Forgot password link
image:images/forgot-password-link.png[Forgot Password Link] image:images/forgot-password-link.png[Forgot Password Link]
+ +
. Specify `Host` and `From` in the *Email* tab in order for Keycloak to be able to send the reset email. . Specify `Host` and `From` in the *Email* tab in order for {Project_Name} to be able to send the reset email.
+ +
. Click this link to bring users where they can enter their username or email address and receive an email with a link to reset their credentials. . Click this link to bring users where they can enter their username or email address and receive an email with a link to reset their credentials.
+ +

View file

@ -98,7 +98,7 @@ profile and configure client policy to specify for which clients would be the pr
This is used by clients running on internet-connected devices that have limited input capabilities or lack a suitable browser. Here's a brief summary of the protocol: This is used by clients running on internet-connected devices that have limited input capabilities or lack a suitable browser. Here's a brief summary of the protocol:
. The application requests {project_name} a device code and a user code. {project_name} creates a device code and a user code. {project_name} returns a response including the device code and the user code to the application. . The application requests {project_name} a device code and a user code. {project_name} creates a device code and a user code. {project_name} returns a response including the device code and the user code to the application.
. The application provides the user with the user code and the verification URI. The user accesses a verification URI to be authenticated by using another browser. You could define a short verification_uri that will be redirected to Keycloak verification URI (/realms/realm_name/device)outside Keycloak - fe in a proxy. . The application provides the user with the user code and the verification URI. The user accesses a verification URI to be authenticated by using another browser. You could define a short verification_uri that will be redirected to {project_name} verification URI (/realms/realm_name/device)outside {project_name} - fe in a proxy.
. The application repeatedly polls {project_name} to find out if the user completed the user authorization. If user authentication is complete, the application exchanges the device code for an _identity_, _access_ and _refresh_ token. . The application repeatedly polls {project_name} to find out if the user completed the user authorization. If user authentication is complete, the application exchanges the device code for an _identity_, _access_ and _refresh_ token.
[[_client_initiated_backchannel_authentication_grant]] [[_client_initiated_backchannel_authentication_grant]]

View file

@ -176,7 +176,7 @@ Note those messages are displayed just with the enabled DEBUG logging.
the LDAP provider to value `all`. This will add lots of additional messages to server log with the included logging for the LDAP connection the LDAP provider to value `all`. This will add lots of additional messages to server log with the included logging for the LDAP connection
pooling. This can be used to track the issues related to connection pooling or performance. pooling. This can be used to track the issues related to connection pooling or performance.
NOTE: After changing the configuration of connection pooling, you may need to restart the Keycloak server to enforce re-initialization NOTE: After changing the configuration of connection pooling, you may need to restart the {project_name} server to enforce re-initialization
of the LDAP provider connection. of the LDAP provider connection.
If no more messages appear for connection pooling even after server restart, it can indicate that connection pooling does not work If no more messages appear for connection pooling even after server restart, it can indicate that connection pooling does not work
@ -185,4 +185,4 @@ with your LDAP server.
- For the case of reporting LDAP issue, you may consider to attach some part of your LDAP tree with the target data, which causes issues - For the case of reporting LDAP issue, you may consider to attach some part of your LDAP tree with the target data, which causes issues
in your environment. For example if login of some user takes lot of time, you can consider attach his LDAP entry showing count of `member` attributes in your environment. For example if login of some user takes lot of time, you can consider attach his LDAP entry showing count of `member` attributes
of various "group" entries. In this case, it might be useful to add if those group entries are mapped to some Group LDAP mapper (or Role LDAP Mapper) of various "group" entries. In this case, it might be useful to add if those group entries are mapped to some Group LDAP mapper (or Role LDAP Mapper)
in {project_name} etc. in {project_name} and so on.

View file

@ -120,7 +120,7 @@ To specify a different minimum or maximum length, change the unmanaged attribute
WARNING: {project_name} caches user-related objects in its internal caches. WARNING: {project_name} caches user-related objects in its internal caches.
The longer the attributes are, the more memory the cache consumes. The longer the attributes are, the more memory the cache consumes.
Therefore, limiting the size of the length attributes is recommended. Therefore, limiting the size of the length attributes is recommended.
Consider storing large objects outside Keycloak and reference them by ID or URL. Consider storing large objects outside {project_Name} and reference them by ID or URL.
== Managing the User Profile == Managing the User Profile

View file

@ -3,7 +3,7 @@
== Using a vault to obtain secrets == Using a vault to obtain secrets
Keycloak currently provides two out-of-the-box implementations of the Vault SPI: a plain-text file-based vault and Java KeyStore-based vault. {project_name} currently provides two out-of-the-box implementations of the Vault SPI: a plain-text file-based vault and Java KeyStore-based vault.
To obtain a secret from a vault rather than entering it directly, enter the following specially crafted string into the appropriate field: To obtain a secret from a vault rather than entering it directly, enter the following specially crafted string into the appropriate field: