Jump To Close Expand all Collapse all Table of contents Server Administration Guide Making open source more inclusive 1. Overview Expand section "1. Overview" Collapse section "1. Overview" 1.1. Features 1.2. How Does Security Work? 1.3. Core Concepts and Terms 2. Server Initialization 3. Admin Console Expand section "3. Admin Console" Collapse section "3. Admin Console" 3.1. The Master Realm 3.2. Create a New Realm 3.3. SSL Mode 3.4. Clearing Server Caches 3.5. Email Settings 3.6. Themes and Internationalization Expand section "3.6. Themes and Internationalization" Collapse section "3.6. Themes and Internationalization" 3.6.1. Internationalization Expand section "3.6.1. Internationalization" Collapse section "3.6.1. Internationalization" 3.6.1.1. User Locale selection 4. User Management Expand section "4. User Management" Collapse section "4. User Management" 4.1. Searching For Users 4.2. Creating New Users 4.3. Deleting Users 4.4. User Attributes 4.5. User Credentials Expand section "4.5. User Credentials" Collapse section "4.5. User Credentials" 4.5.1. Creating a Password for the User 4.5.2. Creating other credentials Expand section "4.5.2. Creating other credentials" Collapse section "4.5.2. Creating other credentials" 4.5.2.1. Creating an OTP 4.6. Required Actions Expand section "4.6. Required Actions" Collapse section "4.6. Required Actions" 4.6.1. Default Required Actions 4.6.2. Terms and Conditions 4.7. Impersonation 4.8. User Registration Expand section "4.8. User Registration" Collapse section "4.8. User Registration" 4.8.1. reCAPTCHA Support 4.9. Personal data collected by Red Hat Single Sign-On 5. Login Page Settings Expand section "5. Login Page Settings" Collapse section "5. Login Page Settings" 5.1. Forgot Password 5.2. Remember Me 6. Authentication Expand section "6. Authentication" Collapse section "6. Authentication" 6.1. Password Policies Expand section "6.1. Password Policies" Collapse section "6.1. Password Policies" 6.1.1. Password Policy Types 6.2. OTP Policies Expand section "6.2. OTP Policies" Collapse section "6.2. OTP Policies" 6.2.1. TOTP vs. HOTP 6.2.2. TOTP Configuration Options 6.2.3. HOTP Configuration Options 6.3. Authentication Flows Expand section "6.3. Authentication Flows" Collapse section "6.3. Authentication Flows" 6.3.1. Built-in flows Expand section "6.3.1. Built-in flows" Collapse section "6.3.1. Built-in flows" 6.3.1.1. Execution requirements 6.3.2. Creating flows 6.3.3. Creating a password-less browser login flow 6.4. Kerberos Expand section "6.4. Kerberos" Collapse section "6.4. Kerberos" 6.4.1. Setup of Kerberos server 6.4.2. Setup and configuration of Red Hat Single Sign-On server Expand section "6.4.2. Setup and configuration of Red Hat Single Sign-On server" Collapse section "6.4.2. Setup and configuration of Red Hat Single Sign-On server" 6.4.2.1. Enable SPNEGO Processing 6.4.2.2. Configure Kerberos User Storage Federation Provider 6.4.3. Setup and configuration of client machines 6.4.4. Credential Delegation 6.4.5. Cross-realm trust 6.4.6. Troubleshooting 6.5. X.509 Client Certificate User Authentication Expand section "6.5. X.509 Client Certificate User Authentication" Collapse section "6.5. X.509 Client Certificate User Authentication" 6.5.1. Features 6.5.2. Enable X.509 Client Certificate User Authentication 6.5.3. Adding X.509 Client Certificate Authentication to a Browser Flow 6.5.4. Adding X.509 Client Certificate Authentication to a Direct Grant Flow 6.5.5. Client certificate lookup Expand section "6.5.5. Client certificate lookup" Collapse section "6.5.5. Client certificate lookup" 6.5.5.1. HAProxy certificate lookup provider 6.5.5.2. Apache certificate lookup provider 6.5.5.3. Nginx certificate lookup provider 6.5.5.4. Other reverse proxy implementations 6.5.6. Troubleshooting 6.6. W3C Web Authentication (WebAuthn) Expand section "6.6. W3C Web Authentication (WebAuthn)" Collapse section "6.6. W3C Web Authentication (WebAuthn)" 6.6.1. Setup Expand section "6.6.1. Setup" Collapse section "6.6.1. Setup" 6.6.1.1. Enable Webauthn Authenticator Registration 6.6.1.2. Adding WebAuthn Authentication to a Browser Flow 6.6.2. Authenticate with WebAuthn Authenticator 6.6.3. Managing WebAuthn as an administrator Expand section "6.6.3. Managing WebAuthn as an administrator" Collapse section "6.6.3. Managing WebAuthn as an administrator" 6.6.3.1. Managing Credentials 6.6.3.2. Managing Policy 6.6.4. Attestation Statement Verification 6.6.5. Managing WebAuthn credentials as a user Expand section "6.6.5. Managing WebAuthn credentials as a user" Collapse section "6.6.5. Managing WebAuthn credentials as a user" 6.6.5.1. Register WebAuthn Authenticator 6.6.6. Passwordless WebAuthn together with Two-Factor Expand section "6.6.6. Passwordless WebAuthn together with Two-Factor" Collapse section "6.6.6. Passwordless WebAuthn together with Two-Factor" 6.6.6.1. Setup 7. SSO Protocols Expand section "7. SSO Protocols" Collapse section "7. SSO Protocols" 7.1. OpenID Connect Expand section "7.1. OpenID Connect" Collapse section "7.1. OpenID Connect" 7.1.1. OIDC Auth Flows Expand section "7.1.1. OIDC Auth Flows" Collapse section "7.1.1. OIDC Auth Flows" 7.1.1.1. Authorization Code Flow 7.1.1.2. Implicit Flow 7.1.1.3. Resource Owner Password Credentials Grant (Direct Access Grants) 7.1.1.4. Client Credentials Grant 7.1.2. Red Hat Single Sign-On Server OIDC URI Endpoints 7.2. SAML Expand section "7.2. SAML" Collapse section "7.2. SAML" 7.2.1. SAML Bindings Expand section "7.2.1. SAML Bindings" Collapse section "7.2.1. SAML Bindings" 7.2.1.1. Redirect Binding 7.2.1.2. POST Binding 7.2.1.3. ECP 7.2.2. Red Hat Single Sign-On Server SAML URI Endpoints 7.3. OpenID Connect vs. SAML 7.4. Docker Registry v2 Authentication Expand section "7.4. Docker Registry v2 Authentication" Collapse section "7.4. Docker Registry v2 Authentication" 7.4.1. Docker Auth Flow 7.4.2. Red Hat Single Sign-On Docker Registry v2 Authentication Server URI Endpoints 8. Managing Clients Expand section "8. Managing Clients" Collapse section "8. Managing Clients" 8.1. OIDC Clients Expand section "8.1. OIDC Clients" Collapse section "8.1. OIDC Clients" 8.1.1. Advanced Settings 8.1.2. Confidential Client Credentials 8.1.3. Service Accounts 8.1.4. Audience Support Expand section "8.1.4. Audience Support" Collapse section "8.1.4. Audience Support" 8.1.4.1. Setup 8.1.4.2. Automatically add audience 8.1.4.3. Hardcoded audience 8.2. SAML Clients Expand section "8.2. SAML Clients" Collapse section "8.2. SAML Clients" 8.2.1. IDP Initiated Login 8.2.2. SAML Entity Descriptors 8.3. Client Links 8.4. OIDC Token and SAML Assertion Mappings Expand section "8.4. OIDC Token and SAML Assertion Mappings" Collapse section "8.4. OIDC Token and SAML Assertion Mappings" 8.4.1. Priority order 8.4.2. OIDC User Session Note Mappers 8.4.3. Script Mapper 8.5. Generating Client Adapter Config 8.6. Client Scopes Expand section "8.6. Client Scopes" Collapse section "8.6. Client Scopes" 8.6.1. Protocol 8.6.2. Consent related settings 8.6.3. Link Client Scope with the Client Expand section "8.6.3. Link Client Scope with the Client" Collapse section "8.6.3. Link Client Scope with the Client" 8.6.3.1. Example 8.6.4. Evaluating Client Scopes Expand section "8.6.4. Evaluating Client Scopes" Collapse section "8.6.4. Evaluating Client Scopes" 8.6.4.1. Generating Example Tokens 8.6.5. Client Scopes Permissions 8.6.6. Realm Default Client Scopes 8.6.7. Scopes explained 9. Roles Expand section "9. Roles" Collapse section "9. Roles" 9.1. Realm Roles 9.2. Client Roles 9.3. Composite Roles 9.4. User Role Mappings Expand section "9.4. User Role Mappings" Collapse section "9.4. User Role Mappings" 9.4.1. Default Roles 9.5. Role Scope Mappings 10. Groups Expand section "10. Groups" Collapse section "10. Groups" 10.1. Groups vs. Roles 10.2. Default Groups 11. Admin Console Access Control and Permissions Expand section "11. Admin Console Access Control and Permissions" Collapse section "11. Admin Console Access Control and Permissions" 11.1. Master Realm Access Control Expand section "11.1. Master Realm Access Control" Collapse section "11.1. Master Realm Access Control" 11.1.1. Global Roles 11.1.2. Realm Specific Roles 11.2. Dedicated Realm Admin Consoles 11.3. Fine Grain Admin Permissions Expand section "11.3. Fine Grain Admin Permissions" Collapse section "11.3. Fine Grain Admin Permissions" 11.3.1. Managing One Specific Client Expand section "11.3.1. Managing One Specific Client" Collapse section "11.3.1. Managing One Specific Client" 11.3.1.1. Permission Setup 11.3.1.2. Testing It Out. 11.3.2. Restrict User Role Mapping Expand section "11.3.2. Restrict User Role Mapping" Collapse section "11.3.2. Restrict User Role Mapping" 11.3.2.1. Testing It Out. 11.3.2.2. Per Client map-roles Shortcut 11.3.3. Full List of Permissions Expand section "11.3.3. Full List of Permissions" Collapse section "11.3.3. Full List of Permissions" 11.3.3.1. Role 11.3.3.2. Client 11.3.3.3. Users 11.3.3.4. Group 11.4. Realm Keys Expand section "11.4. Realm Keys" Collapse section "11.4. Realm Keys" 11.4.1. Rotating keys 11.4.2. Adding a generated keypair 11.4.3. Adding an existing keypair and certificate 11.4.4. Loading keys from a Java Keystore 11.4.5. Making keys passive 11.4.6. Disabling keys 11.4.7. Compromised keys 12. Identity Brokering Expand section "12. Identity Brokering" Collapse section "12. Identity Brokering" 12.1. Brokering Overview 12.2. Default Identity Provider 12.3. General Configuration 12.4. Social Identity Providers Expand section "12.4. Social Identity Providers" Collapse section "12.4. Social Identity Providers" 12.4.1. Bitbucket 12.4.2. Facebook 12.4.3. GitHub 12.4.4. GitLab 12.4.5. Google 12.4.6. LinkedIn 12.4.7. Microsoft 12.4.8. OpenShift 3 12.4.9. OpenShift 4 12.4.10. PayPal 12.4.11. Stack Overflow 12.4.12. Twitter 12.4.13. Instagram 12.5. OpenID Connect v1.0 Identity Providers 12.6. SAML v2.0 Identity Providers Expand section "12.6. SAML v2.0 Identity Providers" Collapse section "12.6. SAML v2.0 Identity Providers" 12.6.1. SP Descriptor 12.7. Client-suggested Identity Provider 12.8. Mapping Claims and Assertions 12.9. Available User Session Data 12.10. First Login Flow Expand section "12.10. First Login Flow" Collapse section "12.10. First Login Flow" 12.10.1. Default First Login Flow 12.10.2. Automatically Link Existing First Login Flow 12.10.3. Disabling Automatic User Creation 12.11. Retrieving External IDP Tokens 12.12. Identity broker logout 13. User Session Management Expand section "13. User Session Management" Collapse section "13. User Session Management" 13.1. Administering Sessions Expand section "13.1. Administering Sessions" Collapse section "13.1. Administering Sessions" 13.1.1. Limitations of the Logout all Operation 13.1.2. Application Drilldown 13.1.3. User Drilldown 13.2. Revocation Policies 13.3. Session and Token Timeouts 13.4. Offline Access 13.5. Transient sessions 14. User Storage Federation Expand section "14. User Storage Federation" Collapse section "14. User Storage Federation" 14.1. Adding a Provider 14.2. Dealing with Provider Failures 14.3. LDAP and Active Directory Expand section "14.3. LDAP and Active Directory" Collapse section "14.3. LDAP and Active Directory" 14.3.1. Storage Mode 14.3.2. Edit Mode 14.3.3. Other config options 14.3.4. Connect to LDAP over SSL 14.3.5. Sync of LDAP users to Red Hat Single Sign-On 14.3.6. LDAP Mappers 14.3.7. Password Hashing 14.4. SSSD and FreeIPA Identity Management Integration Expand section "14.4. SSSD and FreeIPA Identity Management Integration" Collapse section "14.4. SSSD and FreeIPA Identity Management Integration" 14.4.1. FreeIPA/IdM Server 14.4.2. SSSD and D-Bus 14.4.3. Enabling the SSSD Federation Provider 14.5. Configuring a Federated SSSD Store 14.6. Custom Providers 15. Auditing and Events Expand section "15. Auditing and Events" Collapse section "15. Auditing and Events" 15.1. Login Events Expand section "15.1. Login Events" Collapse section "15.1. Login Events" 15.1.1. Event Types 15.1.2. Event Listener 15.2. Admin Events 16. Export and Import Expand section "16. Export and Import" Collapse section "16. Export and Import" 16.1. Admin console export/import 17. Using a Vault to Obtain Secrets Expand section "17. Using a Vault to Obtain Secrets" Collapse section "17. Using a Vault to Obtain Secrets" 17.1. Kubernetes / OpenShift Files Plaintext Vault Provider 17.2. Elytron Credential Store Vault Provider 17.3. Key Resolvers 17.4. Sample Configuration Expand section "17.4. Sample Configuration" Collapse section "17.4. Sample Configuration" 17.4.1. Configuring the credential store and vault without a mask 17.4.2. Masking the password in the credential store and vault 18. User Account Service Expand section "18. User Account Service" Collapse section "18. User Account Service" 18.1. Themeable 19. Threat Model Mitigation Expand section "19. Threat Model Mitigation" Collapse section "19. Threat Model Mitigation" 19.1. Host 19.2. Admin Endpoints and Console Expand section "19.2. Admin Endpoints and Console" Collapse section "19.2. Admin Endpoints and Console" 19.2.1. IP Restriction 19.2.2. Port Restriction 19.3. Password guess: brute force attacks Expand section "19.3. Password guess: brute force attacks" Collapse section "19.3. Password guess: brute force attacks" 19.3.1. Password Policies 19.4. Clickjacking 19.5. SSL/HTTPS Requirement 19.6. CSRF Attacks 19.7. Unspecific Redirect URIs 19.8. Compromised Access and Refresh Tokens 19.9. Compromised Authorization Code 19.10. Open redirectors 19.11. Password database compromised 19.12. Limiting Scope 19.13. Limit Token Audience 19.14. SQL Injection Attacks 20. The Admin CLI Expand section "20. The Admin CLI" Collapse section "20. The Admin CLI" 20.1. Installing the Admin CLI 20.2. Using the Admin CLI 20.3. Authenticating 20.4. Working with alternative configurations 20.5. Basic operations and resource URIs 20.6. Realm operations 20.7. Role operations 20.8. Client operations 20.9. User operations 20.10. Group operations 20.11. Identity provider operations 20.12. Storage provider operations 20.13. Adding mappers 20.14. Authentication operations Legal Notice Settings Close Language: 日本語 English Language: 日本語 English Format: Multi-page Single-page PDF Format: Multi-page Single-page PDF Language and Page Formatting Options Language: 日本語 English Language: 日本語 English Format: Multi-page Single-page PDF Format: Multi-page Single-page PDF Server Administration Guide Red Hat Single Sign-On 7.4For Use with Red Hat Single Sign-On 7.4Red Hat Customer Content ServicesLegal NoticeAbstract This guide consists of information for administrators to configure Red Hat Single Sign-On 7.4 Next