From 9c7838e217e73b28e6a566bebaad5cb4317c11ff Mon Sep 17 00:00:00 2001 From: Mark Tielemans Date: Wed, 28 Aug 2024 18:19:33 +0400 Subject: [PATCH] Update Simple-Configuration.md Added required option for newer Keycloak versions. --- docs/Simple-Configuration.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/docs/Simple-Configuration.md b/docs/Simple-Configuration.md index 721bd64..16e46e1 100644 --- a/docs/Simple-Configuration.md +++ b/docs/Simple-Configuration.md @@ -37,6 +37,7 @@ Two clients must be created for the Alfresco Repository and Share. The following - "Mappers" => "Add Builtin" `groups` (on the client for Alfresco Repository, if mapping of authorities from Keycloak groups should be supported) - "Service Account Roles" (on the client for Alfresco Repository, if active user / group synchronisation *or* the service/web script to expose roles for use e.g. in permission mangement should be supported) - Assign client roles `query-groups`, `query-users`, `view-users` and `view-clients` on the client `realm-management` +- When using Keycloak 23 or newer, you must turn on "Exclude Issuer From Authentication Response" under "Advanced" => "OpenID Connect Compatibility Modes" for both clients If the RFC 8693 OAuth 2.0 Token Exchange functionality is to be used for delegation of user authentication from Share to the Repository, an authorisation policy needs to be defined on the pre-existing client `realm-management`. The necessary elements can all be configured in the "Authorization" tab in the configuration of that client. The following elements must be created (if not pre-existing) and/or associated with one another. @@ -186,4 +187,4 @@ Similar to Alfresco's out-of-the-box SSO mechanisms for Share, the use of Keyclo -``` \ No newline at end of file +```