Changes for custom client resource name for SSO (#149) (apache#3609)

* Changes for custom client resource name for SSO * QE review change * Update doc-content/enterprise-only/integration/sso-client-adapter-proc.adoc Co-authored-by: Brian Dooley <briandooley@users.noreply.github.com> * SME review and two DDF issues * Remove optional from Elytron * Peer review Co-authored-by: Brian Dooley <briandooley@users.noreply.github.com> Co-authored-by: Brian Dooley <briandooley@users.noreply.github.com>
emmurphy1 · May 27, 2021 · f8647c7 · f8647c7
1 parent 7e0530f
commit f8647c7
Show file tree

Hide file tree

Showing 2 changed files with 28 additions and 9 deletions.
diff --git a/doc-content/enterprise-only/integration/sso-central-proc.adoc b/doc-content/enterprise-only/integration/sso-central-proc.adoc
@@ -10,7 +10,8 @@ This chapter describes how to authenticate {CENTRAL} through RH-SSO. It includes
 .Prerequisites
 * {CENTRAL} is installed in a {EAP} {EAP_VERSION} server, as described in {URL_INSTALLING_AND_CONFIGURING}#assembly-install-on-eap[_{INSTALLING_ON_EAP}_].
 * RH-SSO is installed as described in <<sso-realm-proc>>.
-* {CENTRAL} users have been added to RH-SSO as described in <<sso-user-add-proc>>.
+* You added {CENTRAL} users to RH-SSO as described in <<sso-user-add-proc>>.
+* Optional: To manage RH-SSO users from {CENTRAL}, you added all realm-management client roles in RH-SSO to the {CENTRAL} administrator user.
 
 [NOTE]
 ====

diff --git a/doc-content/enterprise-only/integration/sso-client-adapter-proc.adoc b/doc-content/enterprise-only/integration/sso-client-adapter-proc.adoc
@@ -30,19 +30,26 @@ NOTE: Install the adapter with the `-Dserver.config=standalone-full.xml` propert
   <property name="org.uberfire.ext.security.management.keycloak.authServer" value="http://localhost:8180/auth"/>
 </system-properties>
 ----
+--
++
+. Optional: If you want to use client roles, add the following system property:
++
+--
+[source,xml,subs="attributes+"]
+----
+  <property name="org.uberfire.ext.security.management.keycloak.use-resource-role-mappings" value="true"/>
+----
 
-If you want to use client roles, also add the following system property:
+By default, the client resource name is `kie`. The client resource name must be the same as the client name that you used to configure the client in RH-SSO. If you want to use a custom client resource name, add the following system property:
 
 [source,xml,subs="attributes+"]
 ----
-  <property name="org.uberfire.ext.security.management.keycloak.use-resource-role-mappings" value="true"/>
+  <property name="org.uberfire.ext.security.management.keycloak.resource" value="customClient"/>
 ----
+
+Replace `customClient` with the client resource name.
 --
-//For version 7.6: (just the last two properties)
-//<system-properties>
-//<property name="org.uberfire.ext.security.management.api.userManagementServices" //value="KCAdapterUserManagementService"/>
-//<property name="org.uberfire.ext.security.management.keycloak.authServer" value="http://localhost:8180/auth"/>
-//</system-properties>
++
 . Add the RH-SSO subsystem configuration. For example:
 +
 [source,xml,subs="attributes+"]
@@ -68,7 +75,7 @@ In this example:
 * `realm-public-key` is the public key of the realm you created. You can find the key in the *Keys* tab in the *Realm settings* page of the realm you created in the RH-SSO Admin Console. If you do not provide a value for `realm-public-key`, the server retrieves it automatically.
 * `auth-server-url` is the  URL for the RH-SSO authentication server.
 * `enable-basic-auth` is the  setting to enable basic authentication mechanism, so that the clients can use both token-based and basic authentication approaches to perform the requests.
-* `resource` is the  name for the client that you created.
+* `resource` is the name for the client that you created. To use client roles, set the client resource name that you used when configuring the client in RH-SSO.
 * `credential name` is the  secret key for the client you created. You can find the key in the *Credentials* tab on the *Clients* page of the RH-SSO Admin Console.
 * `principal-attribute` is the login name of the user. If you do not provide this value, your User Id is displayed in the application instead of your user name.
 +
@@ -120,6 +127,17 @@ For more information about management CLI of {EAP}, see the https://access.redha
  </application-security-domains>
 </subsystem>
 ----
+
+[NOTE]
+====
+To use the Elytron subsystem, you must disable JACC in the legacy `security` subsystem. To disable JACC in the legacy subsystem, enter the following command in the {EAP} management CLI:
+
+----
+/subsystem=security:write-attribute(name=initialize-jacc, value=false)
+----
+
+For more information about disabling JACC in the legacy securoty subsystem, see the https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.3/html-single/development_guide/index#enabling_jacc_using_elytron[_Development Guide_] for {EAP}.
+====
 --
 . Navigate to `_EAP_HOME_/bin/` and enter the following command to start the {EAP} server:
 +