Jump To Close Expand all Collapse all Table of contents Server Administration Guide Making open source more inclusive 1. Red Hat Single Sign-On features and concepts Expand section "1. Red Hat Single Sign-On features and concepts" Collapse section "1. Red Hat Single Sign-On features and concepts" 1.1. Features 1.2. Basic Red Hat Single Sign-On operations 1.3. Core concepts and terms 2. Creating the first administrator Expand section "2. Creating the first administrator" Collapse section "2. Creating the first administrator" 2.1. Creating the account on the local host 2.2. Creating the account remotely 3. Configuring realms Expand section "3. Configuring realms" Collapse section "3. Configuring realms" 3.1. Using the Admin Console 3.2. The master realm 3.3. Creating a realm 3.4. Configuring SSL for a realm 3.5. Clearing server caches 3.6. Configuring email for a realm 3.7. Configuring themes and internationalization Expand section "3.7. Configuring themes and internationalization" Collapse section "3.7. Configuring themes and internationalization" 3.7.1. Enabling internationalization 3.7.2. User locale selection 3.8. Controlling login options Expand section "3.8. Controlling login options" Collapse section "3.8. Controlling login options" 3.8.1. Enabling forgot password 3.8.2. Enabling Remember Me 3.9. Configuring realm keys Expand section "3.9. Configuring realm keys" Collapse section "3.9. Configuring realm keys" 3.9.1. Rotating keys 3.9.2. Adding a generated keypair 3.9.3. Adding an existing keypair and certificate 3.9.4. Loading keys from a Java Keystore 3.9.5. Making keys passive 3.9.6. Disabling keys 3.9.7. Compromised keys 4. Using external storage Expand section "4. Using external storage" Collapse section "4. Using external storage" 4.1. Adding a provider 4.2. Dealing with provider failures 4.3. Lightweight Directory Access Protocol (LDAP) and Active Directory Expand section "4.3. Lightweight Directory Access Protocol (LDAP) and Active Directory" Collapse section "4.3. Lightweight Directory Access Protocol (LDAP) and Active Directory" 4.3.1. Configuring federated LDAP storage 4.3.2. Storage mode 4.3.3. Edit mode 4.3.4. Other configuration options 4.3.5. Connecting to LDAP over SSL 4.3.6. Synchronizing LDAP users to Red Hat Single Sign-On 4.3.7. LDAP mappers 4.3.8. Password hashing 4.3.9. Troubleshooting 4.4. SSSD and FreeIPA Identity Management integration Expand section "4.4. SSSD and FreeIPA Identity Management integration" Collapse section "4.4. SSSD and FreeIPA Identity Management integration" 4.4.1. FreeIPA/IdM server 4.4.2. SSSD and D-Bus 4.4.3. Enabling the SSSD federation provider 4.5. Configuring a federated SSSD store 4.6. Custom providers 5. Managing users Expand section "5. Managing users" Collapse section "5. Managing users" 5.1. Creating users 5.2. Defining user credentials Expand section "5.2. Defining user credentials" Collapse section "5.2. Defining user credentials" 5.2.1. Setting a password for a user 5.2.2. Creating an OTP 5.3. Configuring user attributes 5.4. Allowing users to self-register Expand section "5.4. Allowing users to self-register" Collapse section "5.4. Allowing users to self-register" 5.4.1. Enabling user registration 5.4.2. Registering as a new user 5.5. Defining actions required at login Expand section "5.5. Defining actions required at login" Collapse section "5.5. Defining actions required at login" 5.5.1. Setting required actions for one user 5.5.2. Setting required actions for all users 5.5.3. Enabling terms and conditions as a required action 5.6. Searching for a user 5.7. Deleting a user 5.8. Enabling account deletion by users Expand section "5.8. Enabling account deletion by users" Collapse section "5.8. Enabling account deletion by users" 5.8.1. Enabling the Delete Account Capability 5.8.2. Giving a user the delete-account role 5.8.3. Deleting your account 5.9. Impersonating a user 5.10. Enabling reCAPTCHA 5.11. User Profile Expand section "5.11. User Profile" Collapse section "5.11. User Profile" 5.11.1. Enabling the User Profile 5.11.2. Managing the User Profile 5.11.3. Managing Attributes Expand section "5.11.3. Managing Attributes" Collapse section "5.11.3. Managing Attributes" 5.11.3.1. Managing Permissions 5.11.3.2. Managing validations Expand section "5.11.3.2. Managing validations" Collapse section "5.11.3.2. Managing validations" 5.11.3.2.1. Managing annotations 5.11.4. Managing Attribute Groups 5.11.5. Using the JSON configuration Expand section "5.11.5. Using the JSON configuration" Collapse section "5.11.5. Using the JSON configuration" 5.11.5.1. Required property 5.11.5.2. Permissions property 5.11.5.3. Annotations property 5.11.6. Using dynamic forms Expand section "5.11.6. Using dynamic forms" Collapse section "5.11.6. Using dynamic forms" 5.11.6.1. Ordering attributes 5.11.6.2. Grouping attributes 5.11.6.3. Configuring Form input filed for Attributes Expand section "5.11.6.3. Configuring Form input filed for Attributes" Collapse section "5.11.6.3. Configuring Form input filed for Attributes" 5.11.6.3.1. Defining options for select and multiselect fields 5.11.7. Forcing User Profile compliance 5.11.8. Migrating to User Profile 5.12. Personal data collected by Red Hat Single Sign-On 6. Managing user sessions Expand section "6. Managing user sessions" Collapse section "6. Managing user sessions" 6.1. Administering sessions Expand section "6.1. Administering sessions" Collapse section "6.1. Administering sessions" 6.1.1. The Logout all Operation 6.1.2. Application navigation 6.1.3. User navigation 6.2. Revocation policies 6.3. Session and token timeouts 6.4. Offline access 6.5. Offline sessions preloading 6.6. Transient sessions 7. Assigning permissions and access using roles and groups Expand section "7. Assigning permissions and access using roles and groups" Collapse section "7. Assigning permissions and access using roles and groups" 7.1. Creating a realm role 7.2. Client roles 7.3. Converting a role to a composite role 7.4. Assigning role mappings 7.5. Using default roles 7.6. Role scope mappings 7.7. Groups Expand section "7.7. Groups" Collapse section "7.7. Groups" 7.7.1. Groups compared to roles 7.7.2. Using default groups 8. Configuring authentication Expand section "8. Configuring authentication" Collapse section "8. Configuring authentication" 8.1. Password policies Expand section "8.1. Password policies" Collapse section "8.1. Password policies" 8.1.1. Password policy types Expand section "8.1.1. Password policy types" Collapse section "8.1.1. Password policy types" 8.1.1.1. Hashing algorithm 8.1.1.2. Hashing iterations 8.1.1.3. Digits 8.1.1.4. Lowercase characters 8.1.1.5. Uppercase characters 8.1.1.6. Special characters 8.1.1.7. Not username 8.1.1.8. Not email 8.1.1.9. Regular expression 8.1.1.10. Expire password 8.1.1.11. Not recently used 8.1.1.12. Password blacklist 8.2. One Time Password (OTP) policies Expand section "8.2. One Time Password (OTP) policies" Collapse section "8.2. One Time Password (OTP) policies" 8.2.1. Time-based or counter-based one time passwords 8.2.2. TOTP configuration options Expand section "8.2.2. TOTP configuration options" Collapse section "8.2.2. TOTP configuration options" 8.2.2.1. OTP hash algorithm 8.2.2.2. Number of digits 8.2.2.3. Look around window 8.2.2.4. OTP token period 8.2.3. HOTP configuration options Expand section "8.2.3. HOTP configuration options" Collapse section "8.2.3. HOTP configuration options" 8.2.3.1. OTP hash algorithm 8.2.3.2. Number of digits 8.2.3.3. Look ahead window 8.2.3.4. Initial counter 8.3. Authentication flows Expand section "8.3. Authentication flows" Collapse section "8.3. Authentication flows" 8.3.1. Built-in flows Expand section "8.3.1. Built-in flows" Collapse section "8.3.1. Built-in flows" 8.3.1.1. Auth type 8.3.1.2. Requirement Expand section "8.3.1.2. Requirement" Collapse section "8.3.1.2. Requirement" 8.3.1.2.1. Required 8.3.1.2.2. Alternative 8.3.1.2.3. Disabled 8.3.1.2.4. Conditional 8.3.2. Creating flows 8.3.3. Creating a password-less browser login flow 8.4. Kerberos Expand section "8.4. Kerberos" Collapse section "8.4. Kerberos" 8.4.1. Setup of Kerberos server 8.4.2. Setup and configuration of Red Hat Single Sign-On server Expand section "8.4.2. Setup and configuration of Red Hat Single Sign-On server" Collapse section "8.4.2. Setup and configuration of Red Hat Single Sign-On server" 8.4.2.1. Enabling SPNEGO processing 8.4.2.2. Configure Kerberos user storage federation providerxs 8.4.3. Setup and configuration of client machines 8.4.4. Credential delegation 8.4.5. Cross-realm trust 8.4.6. Troubleshooting 8.5. X.509 client certificate user authentication Expand section "8.5. X.509 client certificate user authentication" Collapse section "8.5. X.509 client certificate user authentication" 8.5.1. Features Expand section "8.5.1. Features" Collapse section "8.5.1. Features" 8.5.1.1. Regular expressions Expand section "8.5.1.1. Regular expressions" Collapse section "8.5.1.1. Regular expressions" 8.5.1.1.1. Mapping certificate identity to an existing user 8.5.1.1.2. Extended certificate validation 8.5.2. Enable X.509 client certificate user authentication Expand section "8.5.2. Enable X.509 client certificate user authentication" Collapse section "8.5.2. Enable X.509 client certificate user authentication" 8.5.2.1. Enable mutual SSL in JBoss EAP 8.5.2.2. Enable HTTPS listener 8.5.3. Adding X.509 client certificate authentication to browser flows 8.5.4. Configuring X.509 client certificate authentication 8.5.5. Adding X.509 Client Certificate Authentication to a Direct Grant Flow 8.5.6. Client certificate lookup Expand section "8.5.6. Client certificate lookup" Collapse section "8.5.6. Client certificate lookup" 8.5.6.1. HAProxy certificate lookup provider 8.5.6.2. Apache certificate lookup provider 8.5.6.3. NGINX certificate lookup provider 8.5.6.4. Other reverse proxy implementations 8.5.7. Troubleshooting 8.6. W3C Web Authentication (WebAuthn) Expand section "8.6. W3C Web Authentication (WebAuthn)" Collapse section "8.6. W3C Web Authentication (WebAuthn)" 8.6.1. Setup Expand section "8.6.1. Setup" Collapse section "8.6.1. Setup" 8.6.1.1. Enable WebAuthn authenticator registration 8.6.1.2. Adding WebAuthn authentication to a browser flow 8.6.2. Authenticate with WebAuthn authenticator 8.6.3. Managing WebAuthn as an administrator Expand section "8.6.3. Managing WebAuthn as an administrator" Collapse section "8.6.3. Managing WebAuthn as an administrator" 8.6.3.1. Managing credentials 8.6.3.2. Managing policy 8.6.4. Attestation statement verification 8.6.5. Managing WebAuthn credentials as a user Expand section "8.6.5. Managing WebAuthn credentials as a user" Collapse section "8.6.5. Managing WebAuthn credentials as a user" 8.6.5.1. Register WebAuthn authenticator 8.6.5.2. New user 8.6.5.3. Existing user 8.6.6. Passwordless WebAuthn together with Two-Factor Expand section "8.6.6. Passwordless WebAuthn together with Two-Factor" Collapse section "8.6.6. Passwordless WebAuthn together with Two-Factor" 8.6.6.1. Setup 8.6.7. Available conditions 8.6.8. Explicitly deny/allow access in conditional flows 9. Integrating identity providers Expand section "9. Integrating identity providers" Collapse section "9. Integrating identity providers" 9.1. Brokering overview 9.2. Default Identity Provider 9.3. General configuration 9.4. Social Identity Providers Expand section "9.4. Social Identity Providers" Collapse section "9.4. Social Identity Providers" 9.4.1. Bitbucket 9.4.2. Facebook 9.4.3. GitHub 9.4.4. GitLab 9.4.5. Google 9.4.6. LinkedIn 9.4.7. Microsoft 9.4.8. OpenShift 3 9.4.9. OpenShift 4 9.4.10. PayPal 9.4.11. Stack overflow 9.4.12. Twitter 9.4.13. Instagram 9.5. OpenID Connect v1.0 identity providers 9.6. SAML v2.0 Identity Providers Expand section "9.6. SAML v2.0 Identity Providers" Collapse section "9.6. SAML v2.0 Identity Providers" 9.6.1. Requesting specific AuthnContexts 9.6.2. SP Descriptor 9.6.3. Send subject in SAML requests 9.7. Client-suggested Identity Provider 9.8. Mapping claims and assertions 9.9. Available user session data 9.10. First login flow Expand section "9.10. First login flow" Collapse section "9.10. First login flow" 9.10.1. Default first login flow authenticators 9.10.2. Automatically link existing first login flow 9.10.3. Disabling automatic user creation 9.10.4. Detect existing user first login flow 9.11. Retrieving external IDP tokens 9.12. Identity broker logout 10. SSO protocols Expand section "10. SSO protocols" Collapse section "10. SSO protocols" 10.1. OpenID Connect Expand section "10.1. OpenID Connect" Collapse section "10.1. OpenID Connect" 10.1.1. OIDC auth flows Expand section "10.1.1. OIDC auth flows" Collapse section "10.1.1. OIDC auth flows" 10.1.1.1. Authorization Code Flow 10.1.1.2. Implicit Flow 10.1.1.3. Resource owner password credentials grant (Direct Access Grants) 10.1.1.4. Client credentials grant 10.1.1.5. Device authorization grant 10.1.1.6. Client initiated backchannel authentication grant Expand section "10.1.1.6. Client initiated backchannel authentication grant" Collapse section "10.1.1.6. Client initiated backchannel authentication grant" 10.1.1.6.1. CIBA Policy 10.1.1.6.2. Provider Setting 10.1.1.6.3. Authentication Channel Provider 10.1.1.6.4. User Resolver Provider 10.1.2. OIDC Logout Expand section "10.1.2. OIDC Logout" Collapse section "10.1.2. OIDC Logout" 10.1.2.1. Session Management 10.1.2.2. Frontchannel Logout 10.1.2.3. Backchannel Logout 10.1.3. Red Hat Single Sign-On server OIDC URI endpoints 10.2. SAML Expand section "10.2. SAML" Collapse section "10.2. SAML" 10.2.1. SAML bindings Expand section "10.2.1. SAML bindings" Collapse section "10.2.1. SAML bindings" 10.2.1.1. Redirect binding 10.2.1.2. POST binding 10.2.1.3. ECP 10.2.2. Red Hat Single Sign-On Server SAML URI Endpoints 10.3. OpenID Connect compared to SAML 10.4. Docker registry v2 authentication Expand section "10.4. Docker registry v2 authentication" Collapse section "10.4. Docker registry v2 authentication" 10.4.1. Docker authentication flow 10.4.2. Red Hat Single Sign-On Docker Registry v2 Authentication Server URI Endpoints 11. Controlling access to the Admin Console Expand section "11. Controlling access to the Admin Console" Collapse section "11. Controlling access to the Admin Console" 11.1. Master realm access control Expand section "11.1. Master realm access control" Collapse section "11.1. Master realm access control" 11.1.1. Global roles 11.1.2. Realm specific roles 11.2. Dedicated realm admin consoles 11.3. Fine grain admin permissions Expand section "11.3. Fine grain admin permissions" Collapse section "11.3. Fine grain admin permissions" 11.3.1. Managing one specific client Expand section "11.3.1. Managing one specific client" Collapse section "11.3.1. Managing one specific client" 11.3.1.1. Permission setup 11.3.1.2. Testing it out 11.3.2. Restrict user role mapping Expand section "11.3.2. Restrict user role mapping" Collapse section "11.3.2. Restrict user role mapping" 11.3.2.1. Testing it out 11.3.2.2. Per client map-roles shortcut 11.3.3. Full list of permissions Expand section "11.3.3. Full list of permissions" Collapse section "11.3.3. Full list of permissions" 11.3.3.1. Role 11.3.3.2. Client 11.3.3.3. Users 11.3.3.4. Group 12. Managing OpenID Connect and SAML Clients Expand section "12. Managing OpenID Connect and SAML Clients" Collapse section "12. Managing OpenID Connect and SAML Clients" 12.1. OIDC clients Expand section "12.1. OIDC clients" Collapse section "12.1. OIDC clients" 12.1.1. Creating an OpenID Connect Client 12.1.2. Basic settings 12.1.3. Advanced settings 12.1.4. Confidential client credentials 12.1.5. Using a service account 12.1.6. Audience support Expand section "12.1.6. Audience support" Collapse section "12.1.6. Audience support" 12.1.6.1. Setup 12.1.6.2. Automatically add audience 12.1.6.3. Hardcoded audience 12.2. Creating a SAML client Expand section "12.2. Creating a SAML client" Collapse section "12.2. Creating a SAML client" 12.2.1. IDP Initiated login 12.2.2. Using an entity descriptor to create a client 12.3. Client links 12.4. OIDC token and SAML assertion mappings Expand section "12.4. OIDC token and SAML assertion mappings" Collapse section "12.4. OIDC token and SAML assertion mappings" 12.4.1. Priority order 12.4.2. OIDC user session note mappers 12.4.3. Script mapper 12.5. Generating client adapter config 12.6. Client scopes Expand section "12.6. Client scopes" Collapse section "12.6. Client scopes" 12.6.1. Protocol 12.6.2. Consent related settings 12.6.3. Link client scope with the client Expand section "12.6.3. Link client scope with the client" Collapse section "12.6.3. Link client scope with the client" 12.6.3.1. Example 12.6.4. Evaluating Client Scopes 12.6.5. Client scopes permissions 12.6.6. Realm default client scopes 12.6.7. Scopes explained 12.7. Client Policies Expand section "12.7. Client Policies" Collapse section "12.7. Client Policies" 12.7.1. Use-cases 12.7.2. Protocol 12.7.3. Architecture Expand section "12.7.3. Architecture" Collapse section "12.7.3. Architecture" 12.7.3.1. Condition 12.7.3.2. Executor 12.7.3.3. Profile 12.7.3.4. Policy 12.7.4. Configuration 12.7.5. Backward Compatibility 13. Using a vault to obtain secrets Expand section "13. Using a vault to obtain secrets" Collapse section "13. Using a vault to obtain secrets" 13.1. Kubernetes / OpenShift files plain-text vault provider 13.2. Elytron credential store vault provider 13.3. Key resolvers 13.4. Sample Configuration Expand section "13.4. Sample Configuration" Collapse section "13.4. Sample Configuration" 13.4.1. Configuring the credential store and vault without a mask 13.4.2. Masking the password in the credential store and vault 14. Configuring auditing to track events Expand section "14. Configuring auditing to track events" Collapse section "14. Configuring auditing to track events" 14.1. Login events Expand section "14.1. Login events" Collapse section "14.1. Login events" 14.1.1. Event types 14.1.2. Event listener Expand section "14.1.2. Event listener" Collapse section "14.1.2. Event listener" 14.1.2.1. The logging event listener 14.1.2.2. The Email Event Listener 14.2. Admin events 15. Importing and exporting the database Expand section "15. Importing and exporting the database" Collapse section "15. Importing and exporting the database" 15.1. Admin console export/import 16. Mitigating security threats Expand section "16. Mitigating security threats" Collapse section "16. Mitigating security threats" 16.1. Host 16.2. Admin endpoints and Admin Console Expand section "16.2. Admin endpoints and Admin Console" Collapse section "16.2. Admin endpoints and Admin Console" 16.2.1. IP restriction 16.2.2. Port restriction 16.3. Brute force attacks Expand section "16.3. Brute force attacks" Collapse section "16.3. Brute force attacks" 16.3.1. Password policies 16.4. Read-only user attributes 16.5. Clickjacking 16.6. SSL/HTTPS requirement 16.7. CSRF attacks 16.8. Unspecific redirect URIs 16.9. FAPI compliance 16.10. Compromised access and refresh tokens 16.11. Compromised authorization code 16.12. Open redirectors 16.13. Password database compromised 16.14. Limiting scope 16.15. Limit token audience 16.16. Limit Authentication Sessions 16.17. SQL injection attacks 17. Account Console Expand section "17. Account Console" Collapse section "17. Account Console" 17.1. Accessing the Account Console 17.2. Configuring ways to sign in Expand section "17.2. Configuring ways to sign in" Collapse section "17.2. Configuring ways to sign in" 17.2.1. Two-factor authentication with OTP 17.2.2. Two-factor authentication with WebAuthn 17.2.3. Passwordless authentication with WebAuthn 17.3. Viewing device activity 17.4. Adding an identity provider acccount 17.5. Accessing other applications 18. Admin CLI Expand section "18. Admin CLI" Collapse section "18. Admin CLI" 18.1. Installing the Admin CLI 18.2. Using the Admin CLI 18.3. Authenticating 18.4. Working with alternative configurations 18.5. Basic operations and resource URIs 18.6. Realm operations 18.7. Role operations 18.8. Client operations 18.9. User operations 18.10. Group operations 18.11. Identity provider operations 18.12. Storage provider operations 18.13. Adding mappers 18.14. Authentication operations Legal Notice Settings Close Language: 简体中文 日本語 English Language: 简体中文 日本語 English Format: Multi-page Single-page PDF Format: Multi-page Single-page PDF Language and Page Formatting Options Language: 简体中文 日本語 English Language: 简体中文 日本語 English Format: Multi-page Single-page PDF Format: Multi-page Single-page PDF Server Administration Guide Red Hat Single Sign-On 7.5For Use with Red Hat Single Sign-On 7.5Red Hat Customer Content ServicesLegal NoticeAbstract This guide consists of information for administrators to configure Red Hat Single Sign-On 7.5 Next