Chapter 1. Red Hat Single Sign-On 7.3
Red Hat is proud to announce the release of version 7.3 of Red Hat Single Sign-On (RH-SSO). RH-SSO is based on the Keycloak project, and enables you to secure your web applications by providing Web SSO capabilities based on popular standards such as OpenID Connect, OAuth 2.0, and SAML 2.0. The RH-SSO server acts as an OpenID Connect or SAML-based identity provider (IdP), allowing your enterprise user directory or third-party IdP to secure your applications via standards-based security tokens.
The following notes apply to the RH-SSO 7.3 release.
1.2. New or Improved Features
Some of the new features in this release are technology preview features, which means they are available, but not fully supported. You may use these for testing, but features marked for technology preview are not supported for use in production. These are marked as technology preview in this list and in our documentation. Because they are not fully supported for production use, technology preview features are disabled by default, but the features can be enabled if you want to try them out. We are seeking feedback on the technology preview features, so please log a support ticket if you have comments on a technology preview feature. Once a feature transitions from technology preview to production supported, the API and functionality are fixed for the lifecyle of the major version, so comments during the tech preview period are critical to influencing a feature in the way you want.
Existing features that remain in tech preview in this release include:
- Token exchange
- Fine-grained authorization permissions
- Cross data-center replication
- Rules (Drools) based policies in Authorization Services
1.2.2. OpenShift Integration
It is now possible to fully secure OpenShift 3.11 with Red Hat Single Sign-On, including the ability to automatically expose Service Accounts as OAuth clients as clients to Red Hat Single Sign-On. This feature is currently in technology preview.
Features marked for technology preview are not supported for use in production.
1.2.3. New Capabilities in Client Adapters
- Fuse 7 - Fuse adapter aligned with latest Fuse 7 release
- Sprint Boot 2 support
- SAML adapter multitenancy support - allowing integrating with multiple Keycloak realms like already possible in OpenID Connect adapter.
1.2.4. New Signature Algorithms
RH-SSO server now has support for RS256, RS384, RS512, ES256, ES384, ES512, HS256, HS384 and HS512.
Elliptic Curve Digital Signature Algorithm (ES256/384/512) is now supported and provides similar security properties as RSA signatures, but use significantly less CPU.
HMAC (HS256/384/512) is now supported and allows preventing an application from attempting to verify the signature itself. Since these are symmetric signatures only Keycloak is able to verify the signature, which requires the application to use the token introspection endpoint to verify tokens.
RH-SSO adapters do not yet have support for the additional signature algorithms and currently only support RS256.
1.2.5. Hostname Handling
We introduced a more flexible way to configure the hostname for RH-SSO which gives greater flexibility when deployed in Cloud-related environments. It can be determined based on request headers or configured as a fixed hostname. The latter makes sure that only valid hostnames can be used and also allows internal applications to invoke RH-SSO through an alternative URL.
1.2.6. X509 Client Authenticator
The newly added Client Authenticator uses X509 Client Certificates and Mutual TLS to secure a connection from the client. In addition, the RH-SSO Server validates the Subject DN field of the client’s certificate.
1.2.7. Client Scopes
We added support for Client Scopes, which replace Client Templates. Client Scopes are a more flexible approach and also provide better support for the OAuth scope parameter.
There are changes related to Client Scopes to the consent screen. The list on the consent screen is now linked to client scopes instead of protocol mappers and roles.
See the documentation and the migration guide for more details.
18.104.22.168. Improved Audience Support for OpenID Connect Clients
It is now possible to specify the audiences in the tokens issued for OpenID Connect clients. There is also support for verification of audience on the adapter side.
1.2.8. OAuth 2 Certificate Bound Access Tokens
We now have a partial implementation of the specification OAuth 2.0 Mutual TLS Client Authentication and Certificate Bound Access Tokens. Specifically, we now have support for the Certificate Bound Access Tokens. If your confidential client is able to use 2-way SSL, RH-SSO will be able to add the hash of the client certificate into the tokens issued for the client. At this moment, it is just RH-SSO itself which verifies the token hashes (for example during refresh token requests). We plan to add support to adapters as well. We also plan to add support for Mutual TLS Client Authentication. Themes and Theme Resources
It is now possible to hot-deploy themes to RH-SSO through a regular provider deployment. We have also added support for theme resources, which allows adding additional templates and resources without creating a theme. This is useful for custom authenticators that require additional pages to be added to the authentication flow.
We have also added support to override the theme for specific clients. If that is not adequate for your needs, then there is also a new Theme Selector SPI that allows you to implement custom logic to select the theme.
1.2.9. UI improvements
The design of the following pages are updated in the 7.3 release:
- The welcome page
- The login page
1.2.10. Enhanced Remember Me
Introduced the ability to specify different session idle and max timeouts for remember me sessions. This enables remember me sessions to live longer than regular sessions.
1.2.11. Pagination support for Groups
Large numbers of groups have previously caused issues in the admin console. This is now resolved by the introduction of pagination of groups.
1.2.12. Improve startup time with large number of offline sessions
In the past, starting RH-SSO could take a long time if there were many offline sessions. This startup time has now been significantly reduced.
1.2.13. Support for DB2 removed
DB2 support has been deprecated for a while. With this release we have removed all support for DB2.
1.2.14. Minor Improvements
- Authenticator to automatically link Identity Provider identity to an existing account after first Idp authentication.
- Allow passing current locale to OAuth2 IdPs
- Support Content-Security-Policy-Report-Only security header
- Script based ProtocolMapper for SAML
- We have added support to login with Instagram
- Search by User ID in Admin Console
Support Hosted Domain for Google Logins using the
- Added option to create claims with dots (.) in them
1.3. Fixed Issues
More than 1,200 issues were resolved in this release.
1.4. Known Issues
The following are known issues for this release.
- KEYCLOAK-6127 - Role manage-users still required for some operations regardless granted permission
- KEYCLOAK-8043 - prompt=none doesn’t work with default identity provider
- KEYCLOAK-8049 - Nullpointer when create group policy for the root node
- KEYCLOAK-8766 - CORS with OIDC requests fails when using elytron adapter
- KEYCLOAK-8821 - When KeycloakApplication is not successfully deployed server.log’s content is erased
- KEYCLOAK-8867 - Return resource associated with policies when querying via uma-policy
- KEYCLOAK-8957 - Federated ID Login results in broken user accounts
- KEYCLOAK-9093 - False-Positive UMA Policy Evaluation
- KEYCLOAK-9095 - NullpointerException in AuthenticatedActionsHandler when Web Origins is null
- KEYCLOAK-9183 - NullPointerException when validating password via LDAPStorageProvider for a no longer existing LDAP entry
- KEYCLOAK-9272 - NullPointer if truststore password is missing
- KEYCLOAK-9310 - Removing custom required action provider corrupts the Realm model
- KEYCLOAK-10211 - SSSD integration is not working on RHEL8 because libunix-dbus-java is missing
- KEYCLOAK-10238 - The Securing Applications and Services Guide is missing instructions for adapter installation on RHEL 8. The installation process is the same as in the previous release, but requires RHEL 8 repository names. Be sure to install EAP from the same repository first.
- KEYCLOAK-10239 - The Securing Applications and Services Guide has obsolete package names in the RPM installation section.
- KEYCLOAK-10260 - Invalid permissions on the .installation directory prevents installing a patch. To work around this issue, navigate to the rhsso-7.3 directory and issue this command: chmod 775 .installation
1.5. Supported Configurations
The set of supported features and configurations for RH-SSO Server 7.3 is available on the Customer Portal.
1.6. Component Versions
The list of supported component versions for RH-SSO 7.3 is available on the Customer Portal.