Upgrading Versions
This doc contains important information for upgrading uds-identity-config versions. It is not meant to be an exhaustive list of changes between versions, rather information and steps required to manually upgrade versions without a full redeploy of keycloak.
v0.11.0+
Upgrade Details
In uds-identity-config versions v0.11.0+, the UDS Operator can automatically switch to Client Credentials Grant from using the Dynamic Client Registration. The new method works faster, is more reliable and doesn’t require storing Registration Tokens in the Pepr Store. It is highly recommended to switch to it, which requires the following steps:
- Create the
uds-operator
Client:- Go to
Clients
>Client registration
>Create
- Client type:
openid-connect
- Client ID:
uds-operator
- Client Name:
uds-operator
- Click
Next
- Client authentication: on
- Uncheck all Authentications flows except from
Service account roles
- Click
Next
- Click
Save
- Client type:
- Go to
Clients
>uds-operator
>Credentials
tab- Set
Client Authenticator
toClient Id and Kubernetes Secret
- Click
Save
- Set
- Go to
- Configure the UDS Client Policy
- Go to
Realm Settings
>Client Policies
>Profiles
- Click
Create Client Profile
- Name:uds-client-profile
- Description:UDS Client Profile
- ClickSave
- Click
Add Executor
- Selectuds-operator-permissions
- ClickAdd
- Click
- Go to
Realm Settings
>Client Policies
>Policies
- Click
Create client policy
- Name:uds-client-policy
- Description:UDS Client Policy
- Click
Add condition
- Select
any-client
- Click
Add
- Click
Add client profile
- Select
uds-client-profile
- Click
Add
(there is a glitch in the UI where it seems all the profiles are selected, but only the selected one is actually chosen)
- Click
- Go to
- Configure the Client Credentials Authentication Flow
- Go to
Authentication
>Flows
- Click
clients
- ClickActions
>Duplicate
- Name:UDS Client Credentials
- DescriptionUDS Client Credentials
- ClickDuplicate
- Go to
Authentication
>UDS Client Credentials
- ClickAdd Step
- SelectClient Id and Kubernetes Secret
- ClickAdd
- SelectRequirement
and set it toAlternative
- Go to
Authentication
, select three dots on the right side of the panel forUDS Client Credentials
and selectBind flows
- SelectClient authentication flow
- ClickSave
- Click
- Go to
- Verify that everything is configured correctly
- Deploy a new package or update the existing one
- Check UDS Operator logs and verify if there are no errors
- Use
uds zarf tools kubectl logs deploy/pepr-uds-core-watcher -n pepr-system | grep "Client Credentials Keycloak Client is available"
command to verify if the UDS Operator uses the Client Credentials flow.
- Use
After introducing the above changes, please ensure all Packages are reconciled correctly and there are no errors. If for some reason you see the UDS Operator throwing errors with The Client doesn't have the created-by=uds-operator attribute. Rejecting request
, you need to disable the UDS Client Policy
and give it a bit more time to process all the Packages.
In uds-identity-config version 0.11.0 we incorporated some big changes around MFA.
- Previous versions didn’t allow for MFA on the X509 Authentication flow. Now that can be configured to required additional factors of authentication. By default this is disabled and will need to be enabled.
- Additionally, we’ve added support of WebAuthn MFA. This can assume many different forms such as biometrics, passkeys, etc. This also is disabled by default and is only used as an MFA option.
If wanting to configure the MFA everywhere with both OTP and WebAuthn options, the following steps will help to manually configure these options on an upgrade:
- There is a new theme for webauthn-authentication that conditionally removes the register button. This is removed because we assume that since you are doing MFA you have already provided enough details to be identified by Keycloak and don’t need to register.
- The Authentication
Required Actions
have a few changes as well:- Click
Authentication
tab from left side menu - Click
Required Actions
tab from Authentication page menu - Enable the following
Required Actions
, only toggle theEnabled
DO NOT TOGGLESet as default action
:Configure OTP
Webauthn Register
Delete Credential
- Disable the
WebAuthn Register Passwordless
, make sure this is not theWebAuthn Register
option ( this one should be enabled )
- Click
- The
UDS Authentication
authentication flow has undergone significant changes.- Click
Authentication
tab from left side menu - Click
UDS Authentication
flow option - This can be very dangerous to modify so make sure you know what you’re doing before making changes here
- In the
Authentication
top level sub-flow of theUDS Authentication
flow- Click the
+
icon and add asub-flow
- Name that sub-flow
X509 Authentication
- Name that sub-flow
- Drag that new sub-flow up and drop below the
Cookie
and theIDP Redirector
step - Set the flow to
Alternative
- in the new
X509 Authentication
sub-flow select the+
icon and add a sub-flow calledX509 Conditional OTP
- Set the
X509 Conditional OTP
toRequired
- Click the
+
and add theCondition
calledCondition - user configured
- set this to be
Required
- set this to be
- Click the
+
and add the step calledOTP Form
- set this to be
Required
- set this to be
- Click the
+
and add the step calledWebAuthn Authenticator
- Set the
- Drag the existing
X509/Validate Username Form
step into theX509 Authentication
sub-flow, should be above theX509 Conditional OTP
- May have to drag this twice, make sure this is
Required
- May have to drag this twice, make sure this is
- Click the
- Click
To add an IDP Redirector
option to the UDS Authentication
, which enables bypassing the login page and jumping directly to the IDP login when using the kc_idp_hint
URL parameter, do the following steps:
- Click
Authentication
from the left sidebar underConfigure
- Select the
UDS Authentication
auth flow - Under the
Authentication
sub-flow inUDS Authentication
, click the+
and add a newsub-flow
- Name that sub-flow
idp redirector
- click
Add
- Name that sub-flow
- Drag that new
idp redirector
sub-flow from the bottom of theAuthentication
sub-flow to be directly below theCookie
step - Set the
idp redirector
sub-flow to beAlternative
- Click the
+
on theidp redirector
sub-flow and add a new step - Select the
Identity Provider Redirector
- Click
Add
- Set that
Identity Provider Redirector
step toRequired
v0.10.0+
Upgrade Details
In uds-identity-config versions 0.10.0+, the version of Keycloak was upgraded to Keycloak 26.1.0. In this release of Keycloak an unmentioned breaking change that added case sensitivity to the Client SAML Mappers. This resulted in breaking SAML Auth flows due to users IDP data not being correctly mapped into applications ( ex. Sonarqube, Gitlab, etc ). Manual steps to fix this issue:
- Click
Client scopes
- For each of the following mappers:
mapper-saml-email-email
mapper-saml-firstname-first_name
mapper-saml-lastname-last_name
mapper-saml-username-login
mapper-saml-username-name
- Select the mapper, should now be on the
Client scope details
page - Select the
Mappers
tab - Select the available mapper
- Manually change the
Property
field dropdown to match the designated mapper propertymapper-saml-email-email
had a value ofEmail
, that needs to be changed to select theemail
option from the drop down.mapper-saml-firstname-first_name
had a value ofFirstName
, that needs to be changed to select thefirstName
option from the drop down.mapper-saml-lastname-last_name
had a value ofLastName
, that needs to be changed to select thelastName
option from the drop down.mapper-saml-username-login
had a value ofUsername
, that needs to be changed to select theusername
option from the drop down.mapper-saml-username-name
had a value ofUsername
, that needs to be changed to select theusername
option from the drop down.
- Make sure and click
Save
after updating the property field
v0.9.1 to v0.10.0
Upgrade Details
- For running Istio with Ambient Mesh, it is required to add two new entries to the trusted hosts list:
*.pepr-uds-core-watcher.pepr-system.svc.cluster.local
and*.keycloak.svc.cluster.local
. This is done automatically for new deployments but when upgrading it is required to perform these extra steps:- Click
Clients
>Client registration
>Client details
- Add
*.pepr-uds-core-watcher.pepr-system.svc.cluster.local
and*.keycloak.svc.cluster.local
to theTrusted Hosts
list - Click
Save
- Click
- Keycloak 26.1.1 introduces a new option to force re-login after resetting credentials (Keycloak Release Notes). This option has been enabled for new deployments but the existing ones, it needs to be turned on manually:
- Click
Authentication
>UDS Reset Credentials
and findSend Reset Email
Step of the Authentication Flow. - Click
Settings
, enter a new alias name, for examplereset-credentials-email
and turn theForce login after reset
option on. - Click
Save
- Click
v0.5.1 to v0.5.2
Upgrade Details
- An custom Keycloak event logger that replaces the default event logger is included in this release, if you wish to enable manually as part of an upgrade do the following (in the
Unicorn Delivery Service
realm):- Click on the
Realm Settings
>Events
and addjsonlog-event-listener
. - Remove the built in
jboss-logging
event listener. - Click
Save
- Click on the
- The custom registration event listener was renamed from
custom-registration-listener
toregistration-event-listener
. To manually update this event listener (in theUnicorn Delivery Service
realm):- Click on the
Realm Settings
>Events
and addregistration-event-listener
. - Remove
custom-registration-listener
. - Click
Save
- Click on the
- An additional scope (
bare-groups
) was included in the uds realm.json. To add this scope manually do the following (in theUnicorn Delivery Service
realm):- Click on
Client Scopes
>Create client scope
. - Name the scope
bare-groups
, and configure it to be- Type:
Optional
- Include in token scope:
On
- Type:
- Click
Save
- Click
Mappers
>Create a new mapper
- Select
Custom Group Path Mapper
and name itbare groups
- To enable this scope to be added as a
defaultClientScope
for your clients, navigate to the top levelClients
>Client registration
tab.- Click
Allowed Client Scopes
- Add
bare-groups
to the list ofAllowed Client Scopes
- Click
Save
- Click
- Click on
v0.5.0 to v0.5.1
Upgrade Details
This version upgrade utilizes built in Keycloak functionality for User Managed Attributes.
If upgrading without a full redeploy of keycloak the following changes will be needed:
- The
realm.json
will need to be updated to contain the correct User Managed Attributes definition, User Managed Attributes Configuration. The following steps can be used to do this with clickops:- In
Realm Settings
tab and on theGeneral
page- toggle off
User-managed access
Unmanaged Attributes
set toOnly administrators can write
- toggle off
- On
User profile
page- select the
JSON Editor
tab - Copy and Paste the value of the User Attribute Definition from the realm.json
Save
- select the
- In
- Incorporate STIG password rules, in accordance with these two hardening guides:
- Elasticsearch 8.0 Application Server
- Elasticsearch 8.0 Central Log Server
- Changes:
- Passwords expire in 60 days
- Passwords complexity: 2 special characters, 1 digit, 1 lowercase, 1 uppercase, and 15 character minimum length
- IDP session idle timeout is now 10 minutes
- Maximum login attempts is now 3
v0.4.5 to v0.5.0
Upgrade Details
This version upgrade brings in a new Authentication Flow for group authorization.If upgrading without a full redeploy of keycloak the following steps will be necessary to create and use group authorization:
- In keycloak admin portal, in
UDS
realm, navigate toAuthentication
sidebar tab - In
Authentication
tab add theAuthorization
flow toUDS Authentication
,UDS Registration
,UDS Reset Credentials
- In each
Authentication
flowAdd step
->UDS Operator Group Authentication Validation
- Make sure that the step is at the base level and bottom of the Authentication flow
- In each
- Finally if using
SAML
IDP- In the
Authentication
tabCreate Flow
Name
->Authorization
Description
->UDS Operator Group Authentication Validation
Basic Flow
Create
Add execution
Add
theUDS Operator Group Authentication Validation
- In the
Identity Providers
tab, select theSAML
Provider- Add the
Authorization
flow to thePost login flow
in theAdvanced settings
section
- Add the
- In the