libre.sh/keycloak-scim
4
0
Fork 0
Code Issues 15 Pull requests Releases 1 Activity Actions

saml general config

Browse source
This commit is contained in:
Bill Burke 2016-06-02 17:18:42 -04:00
parent 16388c0218
commit dc0ebc2695
5 changed files with 49 additions and 22 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
SUMMARY.adoc
View file

@ -45,7 +45,7 @@
.... link:topics/saml/java/general-config/idp_keys_subelement.adoc[IDP Keys subelement]
... link:topics/saml/java/jboss-adapter.adoc[JBoss EAP/Wildfly Adapter]
.... link:topics/saml/java/jboss-adapter/jboss_adapter_installation.adoc[Adapter Installation]
.... link:topics/saml/java/jboss-adapter/required_per_war_configuration.adoc[Required Per WAR Configuration]
.... link:topics/saml/java/jboss-adapter/required_per_war_configuration.adoc[Per WAR Configuration]
.... link:topics/saml/java/jboss-adapter/securing_wars.adoc[Securing WARs via SAML Subsystem]
{% if book.community %}
... link:topics/saml/java/tomcat-adapter.adoc[Tomcat SAML adapters]

2
topics/saml/java/jboss-adapter.adoc
View file

@ -2,7 +2,7 @@
==== JBoss/Wildfly Adapter
To be able to secure WAR apps deployed on JBoss EAP 6.x or Wildfly, you must install and configure the Keycloak SAML Adapter Subsystem.
To be able to secure WAR apps deployed on JBoss EAP 6.x or Wildfly, you must install and configure the {{book.project.name}} SAML Adapter Subsystem.
You then provide a keycloak config, `/WEB-INF/keycloak-saml.xml` file in your WAR and change the auth-method to KEYCLOAK-SAML within web.xml.
Both methods are described in this section.

43
topics/saml/java/jboss-adapter/jboss_adapter_installation.adoc
View file

@ -2,10 +2,10 @@
[[_saml-jboss-adapter-installation]]
===== Adapter Installation
SAML Adapters are no longer included with the appliance or war distribution.Each adapter is a separate download on the Keycloak download site.
They are also available as a maven artifact.
Each adapter is a separate download on the {{book.project.name}} download site.
Install on Wildfly 9 or 10:
{% if book.community %}
Install on Wildfly 9 or 10, or JBoss EAP 7:
[source]
----
@ -13,19 +13,41 @@ Install on Wildfly 9 or 10:
$ cd $WILDFLY_HOME
$ unzip keycloak-saml-wildfly-adapter-dist.zip
----
{% endif %}
{% if book.community %}
Install on JBoss EAP 6.x:
[source]
----
$ cd $JBOSS_HOME
$ unzip keycloak-saml-eap6-adapter-dist.zip
----
{% endif %}
This zip file creates new JBoss Modules specific to the Wildfly Keycloak SAML Adapter within your Wildfly distro.
{% if book.product %}
Install on JBoss EAP 6.x:
[source]
----
After adding the Keycloak modules, you must then enable the Keycloak SAML Subsystem within your app server's server configuration: `domain.xml` or `standalone.xml`.
$ cd $JBOSS_HOME
$ unzip RH-SSO-saml-eap6-adapter.zip
----
Install on JBoss EAP 7.x:
[source]
----
$ cd $JBOSS_HOME
$ unzip RH-SSO-saml-eap7-adapter.zip
----
{% endif %}
These zip files create new JBoss Modules specific to the Wildfly/JBoss EPKeycloak SAML Adapter within your Wildfly or JBoss EAP distro.
After adding the modules, you must then enable the {{book.project.name}} SAML Subsystem within your app server's server configuration: `domain.xml` or `standalone.xml`.
There is a CLI script that will help you modify your server configuration.
Start the server and run the script from the server's bin directory:
@ -53,7 +75,8 @@ The script will add the extension, subsystem, and optional security-domain as de
</profile>
----
The keycloak security domain should be used with EJBs and other components when you need the security context created in the secured web tier to be propagated to the EJBs (other EE component) you are invoking.
The `keycloak` security domain should be used with EJBs and other components when you need the security context created
in the secured web tier to be propagated to the EJBs (other EE component) you are invoking.
Otherwise this configuration is optional.
[source,xml]
@ -72,7 +95,8 @@ Otherwise this configuration is optional.
</security-domains>
----
For example, if you have a JAX-RS service that is an EJB within your WEB-INF/classes directory, you'll want to annotate it with the @SecurityDomain annotation as follows:
For example, if you have a JAX-RS service that is an EJB within your WEB-INF/classes directory,
you'll want to annotate it with the `@SecurityDomain` annotation as follows:
[source,xml]
----
@ -107,5 +131,6 @@ public class CustomerService {
}
----
We hope to improve our integration in the future so that you don't have to specify the @SecurityDomain annotation when you want to propagate a keycloak security context to the EJB tier.
We hope to improve our integration in the future so that you don't have to specify the
`@SecurityDomain` annotation when you want to propagate a keycloak security context to the EJB tier.

8
topics/saml/java/jboss-adapter/required_per_war_configuration.adoc
View file

@ -1,14 +1,14 @@
===== Required Per WAR Configuration
===== Per WAR Configuration
This section describes how to secure a WAR directly by adding config and editing files within your WAR package.
The first thing you must do is create a `keycloak-saml.xml` adapter config file within the `WEB-INF` directory of your WAR.
The format of this config file is describe in the <<_adapter_config,general adapter configuration>> section.
The format of this config file is describe in the <<fake/../../../../saml/java/general-config.adoc#_saml-general-config,General Adapter Config>> section.
Next you must set the `auth-method` to `KEYCLOAK-SAML` in `web.xml`.
You also have to use standard servlet security to specify role-base constraints on your URLs.
Here's an example pulled from one of the examples that comes distributed with Keycloak.
Here's an example _web.xml_ file:
[source,xml]
----
@ -59,4 +59,6 @@ Here's an example pulled from one of the examples that comes distributed with Ke
</web-app>
----
All standard servlet settings except the `auth-method` setting.

10
topics/saml/java/jboss-adapter/securing_wars.adoc
View file

@ -1,11 +1,11 @@
===== Securing WARs via Keycloak SAML Subsystem
===== Securing WARs via {{book.project.name}} SAML Subsystem
You do not have to crack open a WAR to secure it with Keycloak.
Alternatively, you can externally secure it via the Keycloak SAML Adapter Subsystem.
You do not have to crack open a WAR to secure it with {{book.project.name}}.
Alternatively, you can externally secure it via the {{book.project.name}} SAML Adapter Subsystem.
While you don't have to specify KEYCLOAK-SAML as an `auth-method`, you still have to define the `security-constraints` in `web.xml`.
You do not, however, have to create a `WEB-INF/keycloak-saml.xml` file.
This metadata is instead defined within XML in your server's `domain.xml` or `standalone.xml` subsystem configuration section.
This metadata is instead defined within the XML in your server's `domain.xml` or `standalone.xml` subsystem configuration section.
[source,xml]
----
@ -27,7 +27,7 @@ This metadata is instead defined within XML in your server's `domain.xml` or `st
The `secure-deployment` `name` attribute identifies the WAR you want to secure.
Its value is the `module-name` defined in `web.xml` with `.war` appended.
The rest of the configuration uses the same XML syntax as `keycloak-saml.xml` configuration defined in <<_adapter_config,general adapter configuration>>.
The rest of the configuration uses the same XML syntax as `keycloak-saml.xml` configuration defined in <<fake/../../../../saml/java/general-config.adoc#_saml-general-config,General Adapter Config>>.
An example configuration: