Lines 288-293
federation* is useful when administrators want to keep track of all users in
|
Link Here
|
---|
|
288 |
|
288 |
|
289 |
For more information on |SPI|, see :cite:t:`keycloak-spi`. |
289 |
For more information on |SPI|, see :cite:t:`keycloak-spi`. |
290 |
|
290 |
|
|
|
291 |
.. _ad-hoc-federation-import-external-ca: |
292 |
|
293 |
Import external CA certificates |
294 |
------------------------------- |
295 |
|
296 |
Federation involves other, for example external, server systems and requires |
297 |
trust. Certificates are a way to implement trust. To tell your Keycloak |
298 |
system to trust another system for the ad-hoc federation, you need to |
299 |
import the CA certificate for that system. Keycloak needs the CA certificate |
300 |
to verify the encrypted connection with the other system. |
301 |
|
302 |
Use the following steps to add the CA certificate of the other system: |
303 |
|
304 |
.. code-block:: console |
305 |
|
306 |
$ docker cp /path/to/externalCA.pem keycloak:/externalCA.pem |
307 |
$ univention-app shell keycloak \ |
308 |
keytool -cacerts -import -alias ucsCA -file /externalCA.pem -storepass "changeit" -noprompt |
309 |
|
310 |
Repeat this procedure when any CA certificate expires. In case of any CA related |
311 |
TLS error, restart the container: |
312 |
|
313 |
.. code-block:: console |
314 |
|
315 |
$ docker restart keycloak |
316 |
|
291 |
.. _ad-hoc-federation-custom-auth-flow: |
317 |
.. _ad-hoc-federation-custom-auth-flow: |
292 |
|
318 |
|
293 |
Create custom authentication flow |
319 |
Create custom authentication flow |