Release Notes

Red Hat Single Sign-On 7.6

For Use with Red Hat Single Sign-On 7.6

Red Hat Customer Content Services

Abstract

This guide consists of release notes for Red Hat Single Sign-On

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. We are beginning with these four terms: master, slave, blacklist, and whitelist. Because of the enormity of this endeavor, these changes will be implemented gradually over several upcoming releases. For more details, see our CTO Chris Wright’s message.

Chapter 1. Red Hat Single Sign-On 7.6.0.GA

1.1. Overview

Red Hat is proud to announce the release of version 7.6 of Red Hat Single Sign-On (RH-SSO). RH-SSO is based on the Keycloak project, and enables you to secure your web applications by providing Web SSO capabilities based on popular standards such as OpenID Connect, OAuth 2.0, and SAML 2.0. The RH-SSO server acts as an OpenID Connect or SAML-based identity provider (IdP), allowing your enterprise user directory or third-party IdP to secure your applications via standards-based security tokens.

Note

Red Hat Single Sign-On for IBM Z and IBM Power Systems is supported only in the OpenShift environment. Bare metal installations on IBM Z and IBM Power Systems are not supported.

The following notes apply to the RH-SSO 7.6 release.

1.2. New or improved features

1.2.1. Step-up authentication

Red Hat Single Sign-On now supports Step-up authentication. For more details, see the Server Administration Guide.

1.2.2. Client secret rotation

Red Hat Single Sign-On now supports Client Secret Rotation through customer policies. This feature is now available as a preview feature and allows that confidential clients can be provided with realm policies allowing the use up to two secrets simultaneously.

For more details, see the Server Administration Guide.

1.2.3. Recovery Codes

Recovery Codes as another way to do two-factor authentication is now available as a preview feature.

1.2.4. OpenID Connect Logout Improvements

Some fixes and improvements were made to make sure that Red Hat Single Sign-On is now fully compliant with all the OpenID Connect logout specifications:

  • OpenID Connect RP-Initiated Logout 1.0
  • OpenID Connect Front-Channel Logout 1.0
  • OpenID Connect Back-Channel Logout 1.0
  • OpenID Connect Session Management 1.0

For more details, see the Server Administration Guide.

1.2.5. WebAuthn improvements

WebAuthn is no longer a Technical Preview feature. It is now fully supported.

Also, Red Hat Single Sign-On now supports WebAuthn id-less authentication. This feature allows that WebAuthn Security Key will identify the user during authentication as long as the security key supports Resident Keys. For more details, see the Server Administration Guide.

1.2.6. Session limits

Red Hat Single Sign-On now supports limits on the number of sessions a user can have. Limits can be placed at the realm level or at the client level.

For more details, see the Server Administration Guide.

1.2.7. SAML ECP Profile is disabled by default

To mitigate the risk of abusing SAML ECP Profile, Red Hat Single Sign-On now blocks this flow for all SAML clients that do not allow it explicitly. The profile can be enabled using Allow ECP Flow flag within client configuration, see Server Administration Guide.

1.2.8. Other improvements

  • Account console alignments with latest PatternFly release.
  • Support for encrypted User Info endpoint response.
  • Support for the algorithm RSA-OAEP with A256GCM used for encryption keys.
  • Support for login with GitHub Enterprise server.

1.3. Existing technology preview features

The following features continue to be in a Technology Preview status:

  • Token exchange
  • Fine-grained authorization permissions

1.4. Removed or deprecated features

These features have a change in status:

  • Cross-site replication, which was introduced as a Technology Preview feature in Red Hat Single Sign-On 7.2, is no longer available as a supported feature in any Red Hat SSO 7.x release including the latest RH-SSO 7.6 release. Red Hat does not recommend any customer implement or use this feature in their environment because it is not supported. Also, support exceptions for this feature are no longer considered or accepted.

    A new solution for cross-site replication is being discussed and tentatively considered for a future release of Red Hat build of Keycloak (RHBK), which is the product that will be introduced instead of Red Hat SSO 8. More details will be available soon.

  • The podDisruptionBudget field in the Keycloak CR is deprecated and will be ignored when the Operator is deployed on OpenShift 4.12 and higher. As a workaround, see the Upgrading Guide.
  • The deprecated upload-script feature has been removed.
  • Support for Red Hat Single Sign-On (RH-SSO) on Red Hat Enterprise Linux 6 (RHEL 6) is deprecated and the 7.6 release of RH-SSO will not be supported on RHEL 6. RHEL 6 entered the ELS phase of its lifecycle on November 30, 2020 and the Red Hat JBoss Enterprise Application Platform (EAP) that RH-SSO depends upon will drop support for RHEL 6 with the EAP 7.4 release. Customers should deploy their RH-SSO 7.6 upgrades on RHEL 7 or 8 versions.
  • The Spring Boot Adapter is deprecated and will not be included in the 8.0 and higher versions of RH-SSO. This adapter will be maintained during the lifecycle of RH-SSO 7.x. Users are urged to migrate to Spring Security to integrate their Spring Boot applications with RH-SSO.
  • Installation from an RPM is deprecated. Red Hat Single Sign-On will continue to deliver RPMs for the life of the 7.x product, but will not deliver RPMs with the next major version. The product will continue to support installation from a ZIP file and installation on OpenShift.
  • Red Hat Single Sign-On for OpenShift on Eclipse OpenJ9 is deprecated. However, Red Hat Single Sign-On on OpenShift will now support all platforms (x86, IBM Z, and IBM Power Systems) as documented in the Red Hat Single Sign-On for OpenShift Guide. For more details on this change, see Java Change in PPC and s390x OpenShift Images.
  • Authorization Services Drools Policy has been removed.

1.5. Fixed Issues

For details on the issues fixed between RH-SSO 7.5 and 7.6.0, see RHSSO 7.6.0 Fixed Issues.

After 7.6.0 release we also introduced a patch release for the Red Hat Single Sign-On Operator to fix a critical issue that prevented the upgrade from 7.5.2 to 7.6.0 using the Operator. See the Upgrading Guide for more details and caveats.

1.6. Known issues

This release includes the following known issues:

1.7. Supported configurations

The set of supported features and configurations for RH-SSO Server 7.6 is available on the Customer Portal.

1.8. Component versions

The list of supported component versions for RH-SSO 7.6 is available on the Customer Portal.

1.9. Red Hat Single Sign-On metering labels for Red Hat OpenShift

You can add metering labels to your Red Hat Single Sign-On pods and check Red Hat subscription details with the OpenShift Metering Operator.

Note

Do not add metering labels to any pods that an operator deploys and manages.

Red Hat Single Sign-On can use the following metering labels:

  • com.redhat.component-name: Red Hat Single Sign-On
  • com.redhat.component-type: application
  • com.redhat.component-version: 7.6
  • com.redhat.product-name: "Red_Hat_Runtimes"
  • com.redhat.product-version: 2020/Q2

Additional resources

Legal Notice

Copyright © 2024 Red Hat, Inc.
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.