|
Lines 288-293
federation* is useful when administrators want to keep track of all users in
|
Link Here
|
|---|
|
|---|
| 288 |
|
288 |
|
| 289 |
For more information on |SPI|, see :cite:t:`keycloak-spi`. |
289 |
For more information on |SPI|, see :cite:t:`keycloak-spi`. |
| 290 |
|
290 |
|
|
|
291 |
.. _ad-hoc-federation-import-external-ca: |
| 292 |
|
| 293 |
Import external CA certificates |
| 294 |
------------------------------- |
| 295 |
|
| 296 |
Federation involves other, for example external, server systems and requires |
| 297 |
trust. Certificates are a way to implement trust. To tell your Keycloak |
| 298 |
system to trust another system for the ad-hoc federation, you need to |
| 299 |
import the CA certificate for that system. Keycloak needs the CA certificate |
| 300 |
to verify the encrypted connection with the other system. |
| 301 |
|
| 302 |
Use the following steps to add the CA certificate of the other system: |
| 303 |
|
| 304 |
.. code-block:: console |
| 305 |
|
| 306 |
$ docker cp /path/to/externalCA.pem keycloak:/externalCA.pem |
| 307 |
$ univention-app shell keycloak \ |
| 308 |
keytool -cacerts -import -alias ucsCA -file /externalCA.pem -storepass "changeit" -noprompt |
| 309 |
|
| 310 |
Repeat this procedure when any CA certificate expires. In case of any CA related |
| 311 |
TLS error, restart the container: |
| 312 |
|
| 313 |
.. code-block:: console |
| 314 |
|
| 315 |
$ docker restart keycloak |
| 316 |
|
| 291 |
.. _ad-hoc-federation-custom-auth-flow: |
317 |
.. _ad-hoc-federation-custom-auth-flow: |
| 292 |
|
318 |
|
| 293 |
Create custom authentication flow |
319 |
Create custom authentication flow |