Chapter 2. Feature Overview

RH-SSO is now supported on Oracle RAC and MySQL/Galera clusters.

No-import LDAP reduces the load on the RH-SSO database. User data is not imported into the RH-SSO database, and all user data requests are forwarded to LDAP. Initial import of the data and ongoing synchronization are eliminated.

Administrators can now provide a list of blacklisted passwords, ensuring that end users cannot select specific banned passwords.

Browser and Direct Grant authentication flows now support user authentication via X.509 Certificates.

Adapters for Spring Boot applications and Servlet based applications are now available and generally supported.

An adapter for Elytron, the new security subsystem for Red Hat JBoss EAP is generally available. The adapter enables SSO with the EAP Administrative console and the management CLI.

Social login with GitLab, BitBucket, OpenShift, and PayPal have been added to the list of social login providers supported by RH-SSO.

Cross-Datacenter Replication mode allows you to run RH-SSO in a cluster across multiple data centers, most typically using data center sites that are in different geographic regions. When using this mode, each data center will have its own cluster of Red Hat Single Sign-On servers.

This functionality is in technology preview and should not be used in production environments.

Token exchange is the process of using a token to obtain an entirely different token. A client may want to invoke on a less trusted application so it may want to downgrade the current token it has. A client may want to exchange a {project_token} for a token stored for a linked social provider account. You may want to trust external tokens minted by other RH-SSO realms or foreign IDPs. A client may have a need to impersonate a user.

Token exchange in RH-SSO is a very loose implementation of the OAuth Token Exchange specification at the IETF. We have extended it a little, ignored some of it, and loosely interpreted other parts of the specification. It is a simple grant type invocation on a realm’s OpenID Connect token endpoint.

This functionality is in technology preview and should not be used in production environments.

Sometimes roles like manage-realm or manage-users do not give you the ability to specify permissions with the level of control you may desire and you want to create restricted admin accounts that have more precise permissions. RH-SSO allows you to define and assign restricted access policies for managing a realm, such as managing only one specific client or the users of a specific group.

This functionality is in technology preview and should not be used in production environments.

RH-SSO 7.1 introduced a new authorization service feature-set, based on the User Managed Access (UMA) specification. This enables RH-SSO Server to act as a Policy Administration Point (PAP), Policy Decision Point (PDP), or Policy Information Point (PIP), separating the authorization logic from the application.

This functionality is in technology preview and should not be used in production environments, as we plan to update to to UMA 2.0.