Upgrading Versions
This doc contains important information for upgrading uds-identity-config versions. It is not meant to be an exhaustive list of changes between versions, rather information and steps required to manually upgrade versions without a full redeploy of keycloak.
v0.10.0+
Upgrade Details
In uds-identity-config versions 0.10.0+, the version of Keycloak was upgraded to Keycloak 26.1.0. In this release of Keycloak an unmentioned breaking change that added case sensitivity to the Client SAML Mappers. This resulted in breaking SAML Auth flows due to users IDP data not being correctly mapped into applications ( ex. Sonarqube, Gitlab, etc ). Manual steps to fix this issue:
- Click
Client scopes
- For each of the following mappers:
mapper-saml-email-email
mapper-saml-firstname-first_name
mapper-saml-lastname-last_name
mapper-saml-username-login
mapper-saml-username-name
- Select the mapper, should now be on the
Client scope details
page - Select the
Mappers
tab - Select the available mapper
- Manually change the
Property
field dropdown to match the designated mapper propertymapper-saml-email-email
had a value ofEmail
, that needs to be changed to select theemail
option from the drop down.mapper-saml-firstname-first_name
had a value ofFirstName
, that needs to be changed to select thefirstName
option from the drop down.mapper-saml-lastname-last_name
had a value ofLastName
, that needs to be changed to select thelastName
option from the drop down.mapper-saml-username-login
had a value ofUsername
, that needs to be changed to select theusername
option from the drop down.mapper-saml-username-name
had a value ofUsername
, that needs to be changed to select theusername
option from the drop down.
- Make sure and click
Save
after updating the property field
v0.9.1 to v0.10.0
Upgrade Details
- For running Istio with Ambient Mesh, it is required to add two new entries to the trusted hosts list:
*.pepr-uds-core-watcher.pepr-system.svc.cluster.local
and*.keycloak.svc.cluster.local
. This is done automatically for new deployments but when upgrading it is required to perform these extra steps:- Click
Clients
>Client registration
>Client details
- Add
*.pepr-uds-core-watcher.pepr-system.svc.cluster.local
and*.keycloak.svc.cluster.local
to theTrusted Hosts
list - Click
Save
- Click
- Keycloak 26.1.1 introduces a new option to force re-login after resetting credentials (Keycloak Release Notes). This option has been enabled for new deployments but the existing ones, it needs to be turned on manually:
- Click
Authentication
>UDS Reset Credentials
and findSend Reset Email
Step of the Authentication Flow. - Click
Settings
, enter a new alias name, for examplereset-credentials-email
and turn theForce login after reset
option on. - Click
Save
- Click
v0.5.1 to v0.5.2
Upgrade Details
- An custom Keycloak event logger that replaces the default event logger is included in this release, if you wish to enable manually as part of an upgrade do the following (in the
Unicorn Delivery Service
realm):- Click on the
Realm Settings
>Events
and addjsonlog-event-listener
. - Remove the built in
jboss-logging
event listener. - Click
Save
- Click on the
- The custom registration event listener was renamed from
custom-registration-listener
toregistration-event-listener
. To manually update this event listener (in theUnicorn Delivery Service
realm):- Click on the
Realm Settings
>Events
and addregistration-event-listener
. - Remove
custom-registration-listener
. - Click
Save
- Click on the
- An additional scope (
bare-groups
) was included in the uds realm.json. To add this scope manually do the following (in theUnicorn Delivery Service
realm):- Click on
Client Scopes
>Create client scope
. - Name the scope
bare-groups
, and configure it to be- Type:
Optional
- Include in token scope:
On
- Type:
- Click
Save
- Click
Mappers
>Create a new mapper
- Select
Custom Group Path Mapper
and name itbare groups
- To enable this scope to be added as a
defaultClientScope
for your clients, navigate to the top levelClients
>Client registration
tab.- Click
Allowed Client Scopes
- Add
bare-groups
to the list ofAllowed Client Scopes
- Click
Save
- Click
- Click on
v0.5.0 to v0.5.1
Upgrade Details
This version upgrade utilizes built in Keycloak functionality for User Managed Attributes.
If upgrading without a full redeploy of keycloak the following changes will be needed:
- The
realm.json
will need to be updated to contain the correct User Managed Attributes definition, User Managed Attributes Configuration. The following steps can be used to do this with clickops:- In
Realm Settings
tab and on theGeneral
page- toggle off
User-managed access
Unmanaged Attributes
set toOnly administrators can write
- toggle off
- On
User profile
page- select the
JSON Editor
tab - Copy and Paste the value of the User Attribute Definition from the realm.json
Save
- select the
- In
- Incorporate STIG password rules, in accordance with these two hardening guides:
- Elasticsearch 8.0 Application Server
- Elasticsearch 8.0 Central Log Server
- Changes:
- Passwords expire in 60 days
- Passwords complexity: 2 special characters, 1 digit, 1 lowercase, 1 uppercase, and 15 character minimum length
- IDP session idle timeout is now 10 minutes
- Maximum login attempts is now 3
v0.4.5 to v0.5.0
Upgrade Details
This version upgrade brings in a new Authentication Flow for group authorization.If upgrading without a full redeploy of keycloak the following steps will be necessary to create and use group authorization:
- In keycloak admin portal, in
UDS
realm, navigate toAuthentication
sidebar tab - In
Authentication
tab add theAuthorization
flow toUDS Authentication
,UDS Registration
,UDS Reset Credentials
- In each
Authentication
flowAdd step
->UDS Operator Group Authentication Validation
- Make sure that the step is at the base level and bottom of the Authentication flow
- In each
- Finally if using
SAML
IDP- In the
Authentication
tabCreate Flow
Name
->Authorization
Description
->UDS Operator Group Authentication Validation
Basic Flow
Create
Add execution
Add
theUDS Operator Group Authentication Validation
- In the
Identity Providers
tab, select theSAML
Provider- Add the
Authorization
flow to thePost login flow
in theAdvanced settings
section
- Add the
- In the