Release Notes

Red Hat Single Sign-On 7.1

For Use with Red Hat Single Sign-On 7.1

Red Hat Customer Content Services

Abstract

These release notes contain important information related to Red Hat Single Sign-On 7.1

Chapter 1. Overview

The Red Hat Single Sign-On (RH-SSO) Server, based on the Keycloak project, enables you to secure your web applications by providing Web SSO capabilities based on popular standards such as SAML 2.0, OpenID Connect, and OAuth 2.0. The Server can act as a SAML or OpenID Connect–based identity provider (IdP), mediating with your enterprise user directory or third-party identity provider for identity information and your applications using standards-based tokens.

Chapter 2. Feature Overview

2.1. OpenID Connect Certification

The Keycloak version included in Red Hat Single Sign-On (RH-SSO) 7.1 conforms to the 5 OpenID Connect profiles: Basic, Implicit, Hybrid, Config, and Dynamic. Certification was achieved in Keycloak v2.3 (Content from openid.net is not included.http://openid.net/certification/). Future RH-SSO 7.x versions will remain compatible with these profiles, unless documented otherwise.

2.2. Client adapter for Red Hat JBoss Fuse

RH-SSO 7.1 features a new client adapter for Red Hat JBoss Fuse, which enables securing of web application archives (WARs), servlets, Apache routes and Apache CXF endpoints deployed on JBoss Fuse, in both the Apache Karaf and Red Hat JBoss Enterprise Application Platform (JBoss EAP).

2.3. Node.js client adapter

RH-SSO 7.1 includes a new Node.js client adapter, which enables use of RH-SSO 7.1 Server for authentication and web single sign-on for Node.js applications.

2.4. Externalized authorization service

RH-SSO 7.1 introduces a new authorization service feature-set, based on the User Managed Access (UMA) specification. This enables RH-SSO 7.1 Server to act as a Policy Administration Point (PAP), Policy Decision Point (PDP), or Policy Information Point (PIP), separating the authorization logic from the application.

2.5. User Storage SPI

RH-SSO 7.1 features a new User Storage SPI that you can use to implement your own custom user storage federation provider, such as a relational or NoSQL database, to enable federation of users from any user store.

2.6. SSSD integration

RH-SSO 7.1 adds an integration with System Security Services Daemon (SSSD) in Red Hat Enterprise Linux (RHEL) 7.3. This enables use of SSSD as a user federation provider in front of a Microsoft Active Directory forest.

2.7. Client registration CLI

RH SSO 7.1 introduces a command-line interface (CLI) for developers to register client applications on RH-SSO Server.

2.8. RPM distribution

RH-SSO 7.1 introduces a new RPM distribution for Red Hat Enterprise Linux 6 and 7. The RH-SSO Server is provided in its own channel; the client adapters for JBoss EAP 6 and 7 are provided in their respective JBoss EAP x86_64 channels. The JBoss Fuse and Node.js client adapters are not available as RPMs.

Chapter 3. Supported Configurations

3.1. Supported Configurations

The set of supported features and configurations for RH-SSO Server 7.1 is available on the Customer Portal.

Chapter 4. Component Versions

4.1. Component Versions

The list of supported component versions for Red Hat Single Sign-On 7.1 is available on the Customer Portal.

Chapter 5. Known Issues

5.1. Known Issues

  1. Content from issues.jboss.org is not included.(7.1.z) SAML encrypted assertion with newlines fails during parsing
  2. Content from issues.jboss.org is not included.No proper way to set JDBC_PING
  3. Content from issues.jboss.org is not included.Client’s logout handling gets stuck between HTTP-POST and HTTP-Redirect
  4. Content from issues.jboss.org is not included.(7.1.z) SAML logouts are not invalidating the sessions for all logged-in applications
  5. Content from issues.jboss.org is not included.SAML isPassive not working with 7.0 adapter
  6. Content from issues.jboss.org is not included.Fuse adapter: Login to Hawt.io with user without admin role
  7. Content from issues.jboss.org is not included."Add user federation provider" form doesn’t validate "Custom User LDAP Filter" field
  8. Content from issues.jboss.org is not included.Disabling Authorization for a client deletes all authorization data
  9. Content from issues.jboss.org is not included.searchForUserByUserAttribute does not filter users by realm
  10. Content from issues.jboss.org is not included.Deleting a client with existing sessions/offline_tokens leads to Internal Server Errors
  11. Content from issues.jboss.org is not included.MAX_LIFESPAN cache policy does not evict objects
  12. Content from issues.jboss.org is not included.NPE when requesting .well-known URI for which no provider exists
  13. Content from issues.jboss.org is not included.Unexpected error when creating client with existing client ID
  14. Content from issues.jboss.org is not included.Kerberos flow is executed even when no Kerberos provider is present
  15. Content from issues.jboss.org is not included.keycloak-nodejs-auth-utils chokes on TLS errors instead of catching them
  16. Content from issues.jboss.org is not included.NPE fix for HttpMethod
  17. Content from issues.jboss.org is not included.Wrong message when a temporarily disabled user requests password reset
  18. Content from issues.jboss.org is not included.TypeError: this.reject is not a function
  19. Content from issues.jboss.org is not included.Import of huge certificates fails
  20. Content from issues.jboss.org is not included.Periodic sync of User Storage Provider SPI does not work
  21. Content from issues.jboss.org is not included.Access token appears to be valid even though session has expired in the background
  22. Content from issues.jboss.org is not included.Error when session expired and ajax request execute in Keycloak
  23. Content from issues.jboss.org is not included.SAML IdP only imports one key from metadata
  24. Content from issues.jboss.org is not included.Export/Import clients functionality not working as expected
  25. Content from issues.jboss.org is not included.Unhandled ReadOnlyException in Account Management when updating user from read-only store
  26. Content from issues.jboss.org is not included.Cannot import realm, which contains user-based authorization policy
  27. Content from issues.jboss.org is not included.UserRemovedEvent not triggered when userStorage provider is removed
  28. Content from issues.jboss.org is not included.Removing userSessions is very slow when removing many sessions
  29. Content from issues.jboss.org is not included.SAML federation link fails to work with read-only LDAP user

Legal Notice

Copyright © 2016 Red Hat, Inc.
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
Content from www.apache.org is not included. http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.