Chapter 1. Red Hat build of Keycloak 22.0

The Admin Console v1 had many pages filled with long lists of controls. You could easily miss the advanced features at the bottom. In the v2 console, that type of page is revised to group the general controls together and the advanced functionality has moved to its own tab.

In the v1 console, when you hover over a field, the tooltips block fields you need to set. In the v2 console, you click a question mark (?) to display tooltips. Even expert users find they cannot recall the meaning of every control, so the tooltips are important.

If you need more help, you can click Learn More to see the related documentation topic. You do not need to hunt for the right guide and then search that guide for the right topic. Just click Learn More.

The v2 console has major accessibility improvements to provide a better user experience for users with visual impairments and users who use screen readers. For example:

The new design features many improvements in flow and organization while retaining all functionality. However, one change exists for bearer-only clients, which are clients that use no OAuth flows. This access type is no longer a choice when you create a client, but the bearer-only switch still exists on the server side. See the Server Administration Guide for more details.

Red Hat build of Keycloak 22.0 includes SAML SOAP Backchannel single-logout, which provides a real backchannel logout capability to a SAML client registered in Red Hat build of Keycloak. This feature adds the capability to receive logout requests sent by SAML clients over SOAP binding.

Red Hat Single Sign-On 7.6 included support for OIDC logout. Red Hat build of Keycloak 22.0 contains these improvements to OIDC logout:

For more details, see OIDC logout in the Server Administration Guide.

You can now search groups by attribute by using the Admin REST API in a similar way to a client search by attributes.

The User API now supports querying the number of users based on custom attributes. The /{realm}/users/count endpoint contains a new q parameter. It expects the following format:

q=<name>:<value> <attribute-name>:<value>

You can now allow users to view their group memberships in the Account Console. A user must have the account, view-groups option for the groups to show up in that console.

OpenID Connect identity providers support a new configuration to specify that the ID tokens issued by the identity provider must have a specific claim. Otherwise, the user can not authenticate through this broker.

The option is disabled by default; when it is enabled, you can specify the name of the JWT token claim to filter and the value to match (supports regular expression format).

The OpenID Connect identity providers now support Json Web Encryption (JWE) for the ID Token and the UserInfo response. The providers use the realm keys defined for the selected encryption algorithm to perform the decryption.

The new hardcorded group mapper allows adding a specific group to users brokered from an Identity Provider.

The new user session note mapper allows mapping a claim to the user session notes.

Red Hat build of Keycloak supports multiple LDAP providers in a realm, which support Kerberos integration with the same Kerberos realm. When an LDAP provider is unable to find the user who was authenticated through Kerberos/SPNEGO, Red Hat build of Keycloak tries to fall back to the next LDAP provider. Red Hat build of Keycloak has also better support for the case when a single LDAP provider supports multiple Kerberos realms, which are in trust with each other.