Details
diff --git a/core/src/main/java/org/keycloak/Config.java b/core/src/main/java/org/keycloak/Config.java
index 46c6fc9..16a320c 100755
--- a/core/src/main/java/org/keycloak/Config.java
+++ b/core/src/main/java/org/keycloak/Config.java
@@ -12,7 +12,7 @@ public class Config {
}
public static String getAdminRealm() {
- return configProvider.scope("admin").get("realm", "keycloak-admin");
+ return configProvider.scope("admin").get("realm", "master");
}
public static String getProvider(String spi) {
diff --git a/docbook/reference/en/en-US/master.xml b/docbook/reference/en/en-US/master.xml
index 0eca23e..56433a1 100755
--- a/docbook/reference/en/en-US/master.xml
+++ b/docbook/reference/en/en-US/master.xml
@@ -6,6 +6,7 @@
<!ENTITY Installation SYSTEM "modules/server-installation.xml">
<!ENTITY OpenShift SYSTEM "modules/openshift.xml">
<!ENTITY AdminPermissions SYSTEM "modules/admin-permissions.xml">
+ <!ENTITY PerRealmAdminPermissions SYSTEM "modules/per-realm-admin-permissions.xml">
<!ENTITY AdapterConfig SYSTEM "modules/adapter-config.xml">
<!ENTITY JBossAdapter SYSTEM "modules/jboss-adapter.xml">
<!ENTITY JavascriptAdapter SYSTEM "modules/javascript-adapter.xml">
@@ -64,6 +65,7 @@ This one is short
&Installation;
&OpenShift;
&AdminPermissions;
+ &PerRealmAdminPermissions;
<chapter>
<title>Adapters</title>
<para>
diff --git a/docbook/reference/en/en-US/modules/admin-permissions.xml b/docbook/reference/en/en-US/modules/admin-permissions.xml
index a55f734..00bbfc1 100755
--- a/docbook/reference/en/en-US/modules/admin-permissions.xml
+++ b/docbook/reference/en/en-US/modules/admin-permissions.xml
@@ -1,13 +1,20 @@
<chapter id="admin-permissions">
- <title>Admin Access Control</title>
+ <title>Master Admin Access Control</title>
<para>
- Access to The Admin Console and REST endpoints can be controlled by mapping roles to users in the <literal>keycloak-admin</literal> realm.
+ You can create and manage multiple realms by logging into the <literal>master</literal> Keycloak admin console
+ at <literal>/{keycloak-root/admin/index.html</literal>
+ </para>
+ <para>
+ Users in the Keycloak <literal>master</literal> realm can be granted permission to manage zero or more realms that are
+ deployed on the Keycloak server. When a realm is created, Keycloak automatically creates various roles that grant fine-grain
+ permissions to access that new realm.
+ Access to The Admin Console and REST endpoints can be controlled by mapping these roles to users in the <literal>master</literal> realm.
It's possible to create multiple super users as well as users that have only access to certain operations in specific realms.
</para>
<section>
<title>Global Roles</title>
<para>
- There are two realm roles in the <literal>keycloak-admin</literal> realm. These are:
+ There are two realm roles in the <literal>master</literal> realm. These are:
<itemizedlist>
<listitem>
<literal>admin</literal> - This is the super-user role and grants permissions to all operations on all realms
@@ -18,7 +25,7 @@
</itemizedlist>
</para>
<para>
- To add these roles to a user select the <literal>keycloak-admin</literal> realm, then click on <literal>Users</literal>.
+ To add these roles to a user select the <literal>master</literal> realm, then click on <literal>Users</literal>.
Find the user you want to grant permissions to, open the user and click on <literal>Role Mappings</literal>. Under
<literal>Realm Roles</literal> assign any of the above roles to the user by selecting it and clicking on the right-arrow.
</para>
@@ -27,7 +34,7 @@
<section>
<title>Realm Specific Roles</title>
<para>
- Each realm in Keycloak is represented by an application in the <literal>keycloak-admin</literal> realm. The name of the application
+ Each realm in Keycloak is represented by an application in the <literal>master</literal> realm. The name of the application
is <literal><realm name>-realm</literal>. This allows assigning access to users for individual realms. The
roles available are:
<itemizedlist>
@@ -60,10 +67,10 @@
Manage roles includes permissions to view (for example a user with manage-realm role can also view the realm configuration).
</para>
<para>
- To add these roles to a user select the <literal>keycloak-admin</literal> realm, then click on <literal>Users</literal>.
+ To add these roles to a user select the <literal>master</literal> realm, then click on <literal>Users</literal>.
Find the user you want to grant permissions to, open the user and click on <literal>Role Mappings</literal>. Under
<literal>Application Roles</literal> select the application that represents the realm you're adding permissions to
(<literal><realm name>-realm</literal>), then assign any of the above roles to the user by selecting it and clicking on the right-arrow.
</para>
</section>
-</chapter>
\ No newline at end of file
+</chapter>
diff --git a/docbook/reference/en/en-US/modules/Overview.xml b/docbook/reference/en/en-US/modules/Overview.xml
index ec48306..a6ca411 100755
--- a/docbook/reference/en/en-US/modules/Overview.xml
+++ b/docbook/reference/en/en-US/modules/Overview.xml
@@ -24,6 +24,10 @@
</listitem>
<listitem>
+ LDAP and Active Directory support.
+ </listitem>
+
+ <listitem>
Optional User Registration
</listitem>
@@ -32,7 +36,25 @@
</listitem>
<listitem>
- Pluggable theme and style support for user facing screens.
+ Forgot password support. User can have an email sent to them
+ </listitem>
+
+ <listitem>
+ Reset password/totp. Admin can force a password reset, or set up a temporary password.
+ </listitem>
+
+ <listitem>
+ Not-before revocation policies per realm, application, or user.
+ </listitem>
+
+ <listitem>
+ User session management. Admin can view user sessions and what applications/clients have an access token. Sessions can be invalidated
+ per realm or per user.
+ </listitem>
+
+ <listitem>
+ Pluggable theme and style support for user facing screens. Login, grant pages, account mgmt, and admin console all
+ can be styled, branded, and tailored to your application and organizational needs.
</listitem>
<listitem>
@@ -64,12 +86,15 @@
Admin Console for managing users, roles, role mappings, applications, user sessions, allowed CORS web origins, and OAuth clients.
</listitem>
<listitem>
- Account Management console that allows users to manage their own account
+ Account Management console that allows users to manage their own account, view their open sessions, reset passwords, etc.
</listitem>
<listitem>
Deployable as a WAR, appliance, or on Openshift.
</listitem>
<listitem>
+ Multitenancy support. You can host and manage multiple realms for multiple organizations.
+ </listitem>
+ <listitem>
Supports JBoss AS7, EAP 6.x, Wildfly and JavaScript applications. Plans to support Node.js, RAILS, GRAILS, and other non-Java deployments
</listitem>
</itemizedlist>
@@ -100,7 +125,7 @@
<section>
<title>How Does Security Work in Keycloak?</title>
<para>
- Keycloak uses <emphasis>access tokens</emphasis>. Access tokens contains security metadata specifying the
+ Keycloak uses <emphasis>access tokens</emphasis> to secure web invocations. Access tokens contains security metadata specifying the
identity of the user as well as the role mappings for that user. The format of these tokens is a Keycloak
extension to the <ulink url="http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-14">JSON Web Token</ulink> specification. Each realm has a private and public key pair
which it uses to digitally sign the access token using the <ulink url="http://tools.ietf.org/html/draft-ietf-jose-json-web-signature-19">JSON Web Signature</ulink> specification.
@@ -114,7 +139,7 @@
no need for them to store any security metadata locally other than the public key of the realm.
</para>
<para>
- Signed access tokens can also be proprogated by REST client requests within an <literal>Authorization</literal>
+ Signed access tokens can also be propagated by REST client requests within an <literal>Authorization</literal>
header. This is great for distributed integration as applications can request a login from a client to obtain
an access token, then invoke any aggregated REST invocations to other services using that access token. So,
you have a distributed security model that is centrally managed, yet does not require a Keycloak Server hit
diff --git a/docbook/reference/en/en-US/modules/per-realm-admin-permissions.xml b/docbook/reference/en/en-US/modules/per-realm-admin-permissions.xml
new file mode 100755
index 0000000..a846969
--- /dev/null
+++ b/docbook/reference/en/en-US/modules/per-realm-admin-permissions.xml
@@ -0,0 +1,59 @@
+<chapter id="per-realm-admin-permissions">
+ <title>Per Realm Admin Access Control</title>
+ <para>
+ Administering your realm through the <literal>master</literal> realm as discussed in <xref linkend="admin-permissions" /> may not always be
+ ideal or feasible. For example, maybe you have more than one admin application that manages various admin aspects of your organization
+ and you want to unify all these different "admin consoles" under one realm so you can do SSO between them. Keycloak allows you to
+ grant realm admin privleges to users within that realm. These realm admins can participate in SSO for that realm and
+ visit a keycloak admin console instance that is dedicated solely for that realm by going to the url:
+ <literal>/{keycloak-root}/admin/{realm}/console</literal>
+ </para>
+ <section>
+ <title>Realm Roles</title>
+ <para>
+ Each realm has a built-in application called <literal>realm-management</literal>. This application defines
+ roles that define permissions that can be granted to manage the realm.
+ <itemizedlist>
+ <listitem>
+ <literal>realm-admin</literal> - This is a composite role that grants all admin privileges for managing
+ security for that realm.
+ </listitem>
+ </itemizedlist>
+ These are more fine-grain roles you can assign to the user.
+
+ <itemizedlist>
+ <listitem>
+ <literal>view-realm</literal> - View the realm configuration
+ </listitem>
+ <listitem>
+ <literal>view-users</literal> - View users (including details for specific user) in the realm
+ </listitem>
+ <listitem>
+ <literal>view-applications</literal> - View applications in the realm
+ </listitem>
+ <listitem>
+ <literal>view-clients</literal> - View clients in the realm
+ </listitem>
+
+ <listitem>
+ <literal>manage-realm</literal> - Modify the realm configuration (and delete the realm)
+ </listitem>
+ <listitem>
+ <literal>manage-users</literal> - Create, modify and delete users in the realm
+ </listitem>
+ <listitem>
+ <literal>manage-applications</literal> - Create, modify and delete applications in the realm
+ </listitem>
+ <listitem>
+ <literal>manage-clients</literal> - Create, modify and delete clients in the realm
+ </listitem>
+ </itemizedlist>
+ Manage roles includes permissions to view (for example a user with manage-realm role can also view the realm configuration).
+ </para>
+ <para>
+ To add these roles to a user select the realm you want. Then click on <literal>Users</literal>.
+ Find the user you want to grant permissions to, open the user and click on <literal>Role Mappings</literal>. Under
+ <literal>Application Roles</literal> select <literal>realm-management</literal>, then assign any of the above roles to the user by selecting it and clicking on the right-arrow.
+ </para>
+ </section>
+</chapter>
diff --git a/docbook/reference/en/en-US/modules/server-installation.xml b/docbook/reference/en/en-US/modules/server-installation.xml
index 1e7b9f4..58c95b8 100755
--- a/docbook/reference/en/en-US/modules/server-installation.xml
+++ b/docbook/reference/en/en-US/modules/server-installation.xml
@@ -56,8 +56,8 @@ keycloak-appliance-dist-all-1.0-beta-1-SNAPSHOT/
<literal>standalone.bat</literal>
script is used to start the server.
After executing that, log into the admin console at<ulink
- url="http://localhost:8080/auth/rest/admin/login">
- http://localhost:8080/auth/rest/admin/login</ulink>.
+ url="http://localhost:8080/auth/admin/index.html">
+ http://localhost:8080/auth/admin/index.html</ulink>.
Username: <emphasis>admin</emphasis>
Password: <emphasis>admin</emphasis>. Keycloak will then prompt you to
enter in a new password.
@@ -107,8 +107,11 @@ keycloak-war-dist-all-1.0-beta-1-SNAPSHOT/
</para>
<para>
After booting up the JBoss or Wildfly distro, you can then make sure it is installed properly
- by logging into the admin console at<ulink url="http://localhost:8080/auth/admin">http://localhost:8080/auth/admin</ulink>.
- Username: <emphasis>admin</emphasis>, Password: <emphasis>admin</emphasis>. Keycloak will then prompt you to
+ by logging into the admin console at<ulink
+ url="http://localhost:8080/auth/admin/index.html">
+ http://localhost:8080/auth/admin/index.html</ulink>.
+ Username: <emphasis>admin</emphasis>
+ Password: <emphasis>admin</emphasis>. Keycloak will then prompt you to
enter in a new password.
</para>
</section>
@@ -315,6 +318,7 @@ keycloak-war-dist-all-1.0-beta-1-SNAPSHOT/
<programlisting>
WARN [org.jboss.resteasy.core.ResourceLocator] (http-/127.0.0.1:8080-3)
Field providers of subresource xxx will not be injected according to spec
+
</programlisting>
<para>
diff --git a/project-integrations/aerogear-ups/auth-server/src/main/webapp/WEB-INF/keycloak-server.json b/project-integrations/aerogear-ups/auth-server/src/main/webapp/WEB-INF/keycloak-server.json
old mode 100644
new mode 100755
index 3e88c8a..33b4c94
--- a/project-integrations/aerogear-ups/auth-server/src/main/webapp/WEB-INF/keycloak-server.json
+++ b/project-integrations/aerogear-ups/auth-server/src/main/webapp/WEB-INF/keycloak-server.json
@@ -1,6 +1,6 @@
{
"admin": {
- "realm": "keycloak-admin"
+ "realm": "master"
},
"model": {
diff --git a/server/src/main/resources/META-INF/keycloak-server.json b/server/src/main/resources/META-INF/keycloak-server.json
old mode 100644
new mode 100755
index 06efa79..af4c79e
--- a/server/src/main/resources/META-INF/keycloak-server.json
+++ b/server/src/main/resources/META-INF/keycloak-server.json
@@ -1,6 +1,6 @@
{
"admin": {
- "realm": "keycloak-admin"
+ "realm": "master"
},
"audit": {
diff --git a/testsuite/integration/src/main/resources/META-INF/keycloak-server.json b/testsuite/integration/src/main/resources/META-INF/keycloak-server.json
old mode 100644
new mode 100755
index 251dfa4..13b70f8
--- a/testsuite/integration/src/main/resources/META-INF/keycloak-server.json
+++ b/testsuite/integration/src/main/resources/META-INF/keycloak-server.json
@@ -1,6 +1,6 @@
{
"admin": {
- "realm": "keycloak-admin"
+ "realm": "master"
},
"audit": {
