Edit use of Keycloak in Server Admin Guide
Closes #27955 Signed-off-by: AndyMunro <amunro@redhat.com>
This commit is contained in:
parent
0e5d685cd3
commit
d61b1ddb09
8 changed files with 10 additions and 10 deletions
|
@ -360,7 +360,7 @@ For more details see the https://openid.net/specs/openid-connect-core-1_0.html#a
|
||||||
|
|
||||||
The logic for the previous configured authentication flow is as follows: +
|
The logic for the previous configured authentication flow is as follows: +
|
||||||
If a client request a high authentication level, meaning Level of Authentication 2 (LoA 2), a user has to perform full 2-factor authentication: Username/Password + OTP.
|
If a client request a high authentication level, meaning Level of Authentication 2 (LoA 2), a user has to perform full 2-factor authentication: Username/Password + OTP.
|
||||||
However, if a user already has a session in Keycloak, that was logged in with username and password (LoA 1), the user is only asked for the second authentication factor (OTP).
|
However, if a user already has a session in {project_name}, that was logged in with username and password (LoA 1), the user is only asked for the second authentication factor (OTP).
|
||||||
|
|
||||||
The option *Max Age* in the condition determines how long (how much seconds) the subsequent authentication level is valid. This setting helps to decide
|
The option *Max Age* in the condition determines how long (how much seconds) the subsequent authentication level is valid. This setting helps to decide
|
||||||
whether the user will be asked to present the authentication factor again during a subsequent authentication. If the particular level X is requested
|
whether the user will be asked to present the authentication factor again during a subsequent authentication. If the particular level X is requested
|
||||||
|
|
|
@ -18,7 +18,7 @@ A typical use case for web authentication is the following:
|
||||||
|
|
||||||
[WARNING]
|
[WARNING]
|
||||||
====
|
====
|
||||||
The https://www.ietf.org/rfc/rfc4559.txt[Negotiate] www-authenticate scheme allows NTLM as a fallback to Kerberos and on some web browsers in Windows NTLM is supported by default. If a www-authenticate challenge comes from a server outside a browsers permitted list, users may encounter an NTLM dialog prompt. A user would need to click the cancel button on the dialog to continue as Keycloak does not support this mechanism. This situation can happen if Intranet web browsers are not strictly configured or if Keycloak serves users in both the Intranet and Internet. A https://github.com/keycloak/keycloak/issues/8989[custom authenticator] can be used to restrict Negotiate challenges to a whitelist of hosts.
|
The https://www.ietf.org/rfc/rfc4559.txt[Negotiate] www-authenticate scheme allows NTLM as a fallback to Kerberos and on some web browsers in Windows NTLM is supported by default. If a www-authenticate challenge comes from a server outside a browsers permitted list, users may encounter an NTLM dialog prompt. A user would need to click the cancel button on the dialog to continue as {project_name} does not support this mechanism. This situation can happen if Intranet web browsers are not strictly configured or if {project_name} serves users in both the Intranet and Internet. A https://github.com/keycloak/keycloak/issues/8989[custom authenticator] can be used to restrict Negotiate challenges to a whitelist of hosts.
|
||||||
====
|
====
|
||||||
|
|
||||||
Perform the following steps to set up Kerberos authentication:
|
Perform the following steps to set up Kerberos authentication:
|
||||||
|
|
|
@ -38,8 +38,8 @@ grantMethod: prompt <4>
|
||||||
==== OpenShift 4
|
==== OpenShift 4
|
||||||
|
|
||||||
.Prerequisites
|
.Prerequisites
|
||||||
. A certificate of the OpenShift 4 instance stored in the Keycloak Truststore.
|
. A certificate of the OpenShift 4 instance stored in the {project_name} Truststore.
|
||||||
. A Keycloak server configured in order to use the truststore. For more information, see the https://www.keycloak.org/server/keycloak-truststore[Configuring a Truststore] {section}.
|
. A {project_name} server configured in order to use the truststore. For more information, see the https://www.keycloak.org/server/keycloak-truststore[Configuring a Truststore] {section}.
|
||||||
|
|
||||||
.Procedure
|
.Procedure
|
||||||
. Click *Identity Providers* in the menu.
|
. Click *Identity Providers* in the menu.
|
||||||
|
|
|
@ -18,7 +18,7 @@ A `Forgot Password?` link displays in your login pages.
|
||||||
.Forgot password link
|
.Forgot password link
|
||||||
image:images/forgot-password-link.png[Forgot Password Link]
|
image:images/forgot-password-link.png[Forgot Password Link]
|
||||||
+
|
+
|
||||||
. Specify `Host` and `From` in the *Email* tab in order for Keycloak to be able to send the reset email.
|
. Specify `Host` and `From` in the *Email* tab in order for {Project_Name} to be able to send the reset email.
|
||||||
+
|
+
|
||||||
. Click this link to bring users where they can enter their username or email address and receive an email with a link to reset their credentials.
|
. Click this link to bring users where they can enter their username or email address and receive an email with a link to reset their credentials.
|
||||||
+
|
+
|
||||||
|
|
|
@ -98,7 +98,7 @@ profile and configure client policy to specify for which clients would be the pr
|
||||||
This is used by clients running on internet-connected devices that have limited input capabilities or lack a suitable browser. Here's a brief summary of the protocol:
|
This is used by clients running on internet-connected devices that have limited input capabilities or lack a suitable browser. Here's a brief summary of the protocol:
|
||||||
|
|
||||||
. The application requests {project_name} a device code and a user code. {project_name} creates a device code and a user code. {project_name} returns a response including the device code and the user code to the application.
|
. The application requests {project_name} a device code and a user code. {project_name} creates a device code and a user code. {project_name} returns a response including the device code and the user code to the application.
|
||||||
. The application provides the user with the user code and the verification URI. The user accesses a verification URI to be authenticated by using another browser. You could define a short verification_uri that will be redirected to Keycloak verification URI (/realms/realm_name/device)outside Keycloak - fe in a proxy.
|
. The application provides the user with the user code and the verification URI. The user accesses a verification URI to be authenticated by using another browser. You could define a short verification_uri that will be redirected to {project_name} verification URI (/realms/realm_name/device)outside {project_name} - fe in a proxy.
|
||||||
. The application repeatedly polls {project_name} to find out if the user completed the user authorization. If user authentication is complete, the application exchanges the device code for an _identity_, _access_ and _refresh_ token.
|
. The application repeatedly polls {project_name} to find out if the user completed the user authorization. If user authentication is complete, the application exchanges the device code for an _identity_, _access_ and _refresh_ token.
|
||||||
|
|
||||||
[[_client_initiated_backchannel_authentication_grant]]
|
[[_client_initiated_backchannel_authentication_grant]]
|
||||||
|
|
|
@ -176,7 +176,7 @@ Note those messages are displayed just with the enabled DEBUG logging.
|
||||||
the LDAP provider to value `all`. This will add lots of additional messages to server log with the included logging for the LDAP connection
|
the LDAP provider to value `all`. This will add lots of additional messages to server log with the included logging for the LDAP connection
|
||||||
pooling. This can be used to track the issues related to connection pooling or performance.
|
pooling. This can be used to track the issues related to connection pooling or performance.
|
||||||
|
|
||||||
NOTE: After changing the configuration of connection pooling, you may need to restart the Keycloak server to enforce re-initialization
|
NOTE: After changing the configuration of connection pooling, you may need to restart the {project_name} server to enforce re-initialization
|
||||||
of the LDAP provider connection.
|
of the LDAP provider connection.
|
||||||
|
|
||||||
If no more messages appear for connection pooling even after server restart, it can indicate that connection pooling does not work
|
If no more messages appear for connection pooling even after server restart, it can indicate that connection pooling does not work
|
||||||
|
@ -185,4 +185,4 @@ with your LDAP server.
|
||||||
- For the case of reporting LDAP issue, you may consider to attach some part of your LDAP tree with the target data, which causes issues
|
- For the case of reporting LDAP issue, you may consider to attach some part of your LDAP tree with the target data, which causes issues
|
||||||
in your environment. For example if login of some user takes lot of time, you can consider attach his LDAP entry showing count of `member` attributes
|
in your environment. For example if login of some user takes lot of time, you can consider attach his LDAP entry showing count of `member` attributes
|
||||||
of various "group" entries. In this case, it might be useful to add if those group entries are mapped to some Group LDAP mapper (or Role LDAP Mapper)
|
of various "group" entries. In this case, it might be useful to add if those group entries are mapped to some Group LDAP mapper (or Role LDAP Mapper)
|
||||||
in {project_name} etc.
|
in {project_name} and so on.
|
||||||
|
|
|
@ -120,7 +120,7 @@ To specify a different minimum or maximum length, change the unmanaged attribute
|
||||||
WARNING: {project_name} caches user-related objects in its internal caches.
|
WARNING: {project_name} caches user-related objects in its internal caches.
|
||||||
The longer the attributes are, the more memory the cache consumes.
|
The longer the attributes are, the more memory the cache consumes.
|
||||||
Therefore, limiting the size of the length attributes is recommended.
|
Therefore, limiting the size of the length attributes is recommended.
|
||||||
Consider storing large objects outside Keycloak and reference them by ID or URL.
|
Consider storing large objects outside {project_Name} and reference them by ID or URL.
|
||||||
|
|
||||||
== Managing the User Profile
|
== Managing the User Profile
|
||||||
|
|
||||||
|
|
|
@ -3,7 +3,7 @@
|
||||||
|
|
||||||
== Using a vault to obtain secrets
|
== Using a vault to obtain secrets
|
||||||
|
|
||||||
Keycloak currently provides two out-of-the-box implementations of the Vault SPI: a plain-text file-based vault and Java KeyStore-based vault.
|
{project_name} currently provides two out-of-the-box implementations of the Vault SPI: a plain-text file-based vault and Java KeyStore-based vault.
|
||||||
|
|
||||||
To obtain a secret from a vault rather than entering it directly, enter the following specially crafted string into the appropriate field:
|
To obtain a secret from a vault rather than entering it directly, enter the following specially crafted string into the appropriate field:
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue