Red Hat SSO v7.1 Spec Support

Pattern / chelmsfordblue

Red Hat SSO v7.1 provides support for OAuth2, OpenID Connect, and SAML2. There are numerous other identity protocols, but these are quite common and can handle a wide variety of use cases.

OpenID Connect Support

From the Red Hat SSO v7.1 Release Notes, we have:

2.1. OpenID Connect Certification
The Keycloak version included in Red Hat Single Sign-On (RH-SSO) 7.1 conforms to the 5 OpenID Connect profiles: Basic, Implicit, Hybrid, Config, and Dynamic. Certification was achieved in Keycloak v2.3 (http://openid.net/certification/). Future RH-SSO 7.x versions will remain compatible with these profiles, unless documented otherwise.

You can see a list of all certified OIDC implementations here.

There five OpenID Provider Conformance Profiles (described here):

Basic OpenID Provider: Basic OpenID Providers implement the features needed by Basic Relying Parties — essentially, those that use the features described in the OpenID Connect Basic Client Implementer’s Guide 1.0 (although the actual profile is based on OpenID Connect Core 1.0). These include the Mandatory to Implement Features for All OpenID Providers described in Section 15.1 of OpenID Connect Core 1.0.
Implicit OpenID Provider: Implicit OpenID Providers implement the features needed by Implicit Relying Parties — those that use the features described in the OpenID Connect Implicit Client Implementer’s Guide 1.0, excluding the Self-Issued OP features described in Section 4 (although the actual profile is based on OpenID Connect Core 1.0). These include the Mandatory to Implement Features for All OpenID Providers described in Section 15.1 of OpenID Connect Core 1.0.
Hybrid OpenID Provider: Hybrid OpenID Providers implement the features needed by Hybrid Relying Parties — those that use the features described in Section 3.3 of OpenID Connect Core 1.0. These include the Mandatory to Implement Features for All OpenID Providers described in Section 15.1 of OpenID Connect Core 1.0.
OpenID Provider: Publishing Configuration Information OpenID Providers Publishing Configuration Information publish their discovery information at provider configuration endpoints, as described in Sections 3 and 4 of OpenID Connect Discovery 1.0.
Dynamic OpenID Provider: Dynamic OpenID Providers implement the Mandatory to Implement Features for Dynamic OpenID Providers described in Section 15.2 of OpenID Connect Core 1.0. Note that conforming to the Dynamic OpenID Provider profile also requires that the implementation conforms to the Basic OpenID Provider, Implicit OpenID Provider, and OpenID Provider Publishing Configuration Information profiles and implements the OP features of the OpenID Connect Discovery 1.0 and OpenID Connect Dynamic Client Registration 1.0 specifications.

Basic OpenID Provider Conformance requires support for the Authorization Code Flow. I described this one with Red Hat SSO v7.0 here. The second and third OpenID Provider Conformance Profiles support Implicit Flow and Hybrid Flow support. So, Red Hat SSO v7.0 supports all of the OpenID Connect Authentication Flows.

OAuth2 Support

Although the official documentation never explictly states it (at least, not that I could find), Red Hat SSO provides full support for OAuth v2.0, per this Red Hat blog post. The documentation describes OAuth v2.0 as an incomplete protocol that needs something like OpenID Connect on top of it, which is in line with how the OAuth v2.0 spec describes itself. So, while support is there, it isn’t promoted directly (it is indirectly with OIDC support).

SAML2 Support

Red Hat supports the following SAML2 bindings:

  • Redirect Binding (web applications)
  • POST Binding (web applications)
  • Enhanced Client or Proxy (ECP, for REST or SOAP clients, typically)

Image: Pattern / chelmsfordblue