You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@syncope.apache.org by il...@apache.org on 2021/11/26 16:23:16 UTC
[syncope] 02/02: Reference Guide reviewed and compelted for 3.0 up to Customization
This is an automated email from the ASF dual-hosted git repository.
ilgrosso pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/syncope.git
commit a22b3c837249c6c39e57953aefdef2aa73710546
Author: Francesco Chicchiriccò <il...@apache.org>
AuthorDate: Fri Nov 26 17:20:33 2021 +0100
Reference Guide reviewed and compelted for 3.0 up to Customization
---
.github/workflows/crosschecks.yml | 2 +-
.../console/panels/SRARouteFilterPanel.properties | 2 +-
.../panels/SRARouteFilterPanel_it.properties | 2 +-
.../panels/SRARouteFilterPanel_ja.properties | 2 +-
.../panels/SRARouteFilterPanel_pt_BR.properties | 2 +-
.../panels/SRARouteFilterPanel_ru.properties | 2 +-
.../panels/SRARoutePredicatePanel.properties | 2 +-
.../panels/SRARoutePredicatePanel_it.properties | 2 +-
.../panels/SRARoutePredicatePanel_ja.properties | 2 +-
.../panels/SRARoutePredicatePanel_pt_BR.properties | 2 +-
.../panels/SRARoutePredicatePanel_ru.properties | 2 +-
.../core/persistence/jpa/dao/AbstractAnyDAO.java | 9 +-
.../core/persistence/jpa/dao/AbstractDAO.java | 7 +
.../client/console/panels/UserRequestsPanel.html | 2 +-
pom.xml | 8 +-
.../asciidoc/getting-started/introduction.adoc | 23 +--
.../asciidoc/images/accessibility-console01.png | Bin 39423 -> 31245 bytes
.../asciidoc/images/accessibility-enduser01.png | Bin 22466 -> 22633 bytes
src/main/asciidoc/images/approval1.png | Bin 1705 -> 2742 bytes
src/main/asciidoc/images/approval2.png | Bin 13774 -> 25522 bytes
src/main/asciidoc/images/approval3.png | Bin 14284 -> 29036 bytes
src/main/asciidoc/images/approval4.png | Bin 13969 -> 15381 bytes
src/main/asciidoc/images/approval5.png | Bin 21400 -> 36361 bytes
src/main/asciidoc/images/approval6.png | Bin 9966 -> 15328 bytes
src/main/asciidoc/images/architecture.png | Bin 131899 -> 132150 bytes
src/main/asciidoc/images/architecture.xml | 2 +-
src/main/asciidoc/images/consoleDashboard.png | Bin 60184 -> 62451 bytes
src/main/asciidoc/images/consoleLogin.png | Bin 19766 -> 17312 bytes
src/main/asciidoc/images/consoleReports.png | Bin 38886 -> 31220 bytes
src/main/asciidoc/images/enduserHome.png | Bin 0 -> 26494 bytes
src/main/asciidoc/images/enduserLogin.png | Bin 20506 -> 19658 bytes
.../asciidoc/images/enduser_userrequests_none.png | Bin 0 -> 28644 bytes
.../asciidoc/images/enduser_userrequests_start.png | Bin 0 -> 31204 bytes
.../images/enduser_userrequests_started.png | Bin 0 -> 43730 bytes
src/main/asciidoc/images/iam-scenario.png | Bin 165091 -> 165234 bytes
src/main/asciidoc/images/iam-scenario.xml | 2 +-
src/main/asciidoc/images/keymaster_domains.png | Bin 0 -> 23687 bytes
.../asciidoc/images/keymaster_networkservices.png | Bin 0 -> 18084 bytes
src/main/asciidoc/images/keymaster_parameters.png | Bin 0 -> 39114 bytes
src/main/asciidoc/images/passwordreset.png | Bin 0 -> 88625 bytes
src/main/asciidoc/images/realmsUser.png | Bin 46516 -> 37285 bytes
.../main/asciidoc/images/sra-request.plantuml | 42 ++---
src/main/asciidoc/images/sra-request.png | Bin 0 -> 35289 bytes
src/main/asciidoc/images/sra.png | Bin 0 -> 23457 bytes
src/main/asciidoc/images/wa.png | Bin 0 -> 48250 bytes
.../reference-guide/architecture/architecture.adoc | 172 ++++-----------------
.../reference-guide/architecture/core.adoc | 10 +-
.../asciidoc/reference-guide/concepts/audit.adoc | 12 +-
.../concepts/authenticationmodules.adoc | 61 ++++++++
.../concepts/clientapplications.adoc | 44 ++++++
.../reference-guide/concepts/concepts.adoc | 6 +
.../asciidoc/reference-guide/concepts/domains.adoc | 2 +-
.../reference-guide/concepts/entitlements.adoc | 8 +-
.../reference-guide/concepts/extensions.adoc | 8 +-
.../concepts/externalresources.adoc | 2 +-
.../reference-guide/concepts/implementations.adoc | 3 +-
.../reference-guide/concepts/notifications.adoc | 8 +-
.../reference-guide/concepts/policies.adoc | 91 ++++++++---
.../concepts/provisioning/provisioning.adoc | 2 +-
.../concepts/provisioning/pull.adoc | 4 +-
.../asciidoc/reference-guide/concepts/reports.adoc | 24 +--
.../asciidoc/reference-guide/concepts/routes.adoc | 120 ++++++++++++++
.../asciidoc/reference-guide/concepts/tasks.adoc | 6 +-
.../reference-guide/concepts/typemanagement.adoc | 8 +-
.../concepts/usersgroupsandanyobjects.adoc | 10 +-
.../identitytechnologies/accessmanagers.adoc | 17 +-
...visioningengines.adoc => identitymanagers.adoc} | 12 +-
.../identitytechnologies/identitytechnologies.adoc | 2 +-
.../asciidoc/reference-guide/reference-guide.adoc | 12 +-
.../adminconsole/adminconsole.adoc | 62 +++++++-
.../adminconsole/configuration.adoc | 30 ++--
.../{adminconsole.adoc => keymaster.adoc} | 38 ++---
.../adminconsole/sra.adoc} | 37 +----
.../adminconsole/userrequests.adoc} | 37 +----
.../adminconsole/wa.adoc} | 38 +----
.../workingwithapachesyncope/customization.adoc | 70 +--------
.../workingwithapachesyncope/enduser.adoc | 49 ------
.../workingwithapachesyncope/enduser/enduser.adoc | 92 +++++++++++
.../enduser/home.adoc} | 36 +----
.../enduser/passwordreset.adoc | 68 ++++++++
.../enduser/personal.adoc} | 34 +---
.../enduser/userrequests.adoc} | 21 +--
.../workingwithapachesyncope/restfulservices.adoc | 32 ++--
.../configurationparameters.adoc | 3 +-
.../systemadministration/importexport.adoc | 1 -
.../systemadministration/keystore.adoc | 2 +-
.../systemadministration/systemadministration.adoc | 6 -
.../workingwithapachesyncope.adoc | 2 +-
src/site/xdoc/mailing-lists.xml | 28 +---
89 files changed, 802 insertions(+), 645 deletions(-)
diff --git a/.github/workflows/crosschecks.yml b/.github/workflows/crosschecks.yml
index 6b51baf..a7cddba 100644
--- a/.github/workflows/crosschecks.yml
+++ b/.github/workflows/crosschecks.yml
@@ -33,7 +33,7 @@ jobs:
fail-fast: false
matrix:
language: ['java']
- java: [ '11', '14', '17' ]
+ java: [ '11', '17' ]
os: [ubuntu-latest, windows-latest, macos-latest]
steps:
diff --git a/client/am/console/src/main/resources/org/apache/syncope/client/console/panels/SRARouteFilterPanel.properties b/client/am/console/src/main/resources/org/apache/syncope/client/console/panels/SRARouteFilterPanel.properties
index bf63f31..8aff555 100644
--- a/client/am/console/src/main/resources/org/apache/syncope/client/console/panels/SRARouteFilterPanel.properties
+++ b/client/am/console/src/main/resources/org/apache/syncope/client/console/panels/SRARouteFilterPanel.properties
@@ -16,4 +16,4 @@
# under the License.
factory=Factory
args=Arguments
-factoryInfo.help=Check <a href="https://cloud.spring.io/spring-cloud-static/spring-cloud-gateway/${spring-cloud-gateway.version}/single/spring-cloud-gateway.html#_gatewayfilter_factories" target="blank">Spring Cloud Gateway documentation</a> for more information
+factoryInfo.help=Check <a href="https://docs.spring.io/spring-cloud-gateway/docs/current/reference/html/#gatewayfilter-factories" target="blank">Spring Cloud Gateway documentation</a> for more information
diff --git a/client/am/console/src/main/resources/org/apache/syncope/client/console/panels/SRARouteFilterPanel_it.properties b/client/am/console/src/main/resources/org/apache/syncope/client/console/panels/SRARouteFilterPanel_it.properties
index 2cf742f..f443eeb 100644
--- a/client/am/console/src/main/resources/org/apache/syncope/client/console/panels/SRARouteFilterPanel_it.properties
+++ b/client/am/console/src/main/resources/org/apache/syncope/client/console/panels/SRARouteFilterPanel_it.properties
@@ -16,4 +16,4 @@
# under the License.
factory=Factory
args=Argomenti
-factoryInfo.help=Consultare la <a href="https://cloud.spring.io/spring-cloud-static/spring-cloud-gateway/${spring-cloud-gateway.version}/single/spring-cloud-gateway.html#\n_gatewayfilter_factories" target="blank">documentazione di Spring Cloud Gateway</a> per maggiori informazioni
+factoryInfo.help=Consultare la <a href="https://docs.spring.io/spring-cloud-gateway/docs/current/reference/html/#gatewayfilter-factories" target="blank">documentazione di Spring Cloud Gateway</a> per maggiori informazioni
diff --git a/client/am/console/src/main/resources/org/apache/syncope/client/console/panels/SRARouteFilterPanel_ja.properties b/client/am/console/src/main/resources/org/apache/syncope/client/console/panels/SRARouteFilterPanel_ja.properties
index 5d59db1..49d949f 100644
--- a/client/am/console/src/main/resources/org/apache/syncope/client/console/panels/SRARouteFilterPanel_ja.properties
+++ b/client/am/console/src/main/resources/org/apache/syncope/client/console/panels/SRARouteFilterPanel_ja.properties
@@ -16,4 +16,4 @@
# under the License.
factory=\u30d5\u30a1\u30af\u30c8\u30ea\u30fc
args=\u5f15\u6570
-factoryInfo.help=\u8a73\u7d30\u306f <a href="https://cloud.spring.io/spring-cloud-static/spring-cloud-gateway/${spring-cloud-gateway.version}/single/spring-cloud-gateway.html#_gatewayfilter_factories" target="blank">Spring Cloud Gateway \u30c9\u30ad\u30e5\u30e1\u30f3\u30c8</a> \u3092\u3054\u89a7\u304f\u3060\u3055\u3044
+factoryInfo.help=\u8a73\u7d30\u306f <a href="https://docs.spring.io/spring-cloud-gateway/docs/current/reference/html/#gatewayfilter-factories" target="blank">Spring Cloud Gateway \u30c9\u30ad\u30e5\u30e1\u30f3\u30c8</a> \u3092\u3054\u89a7\u304f\u3060\u3055\u3044
diff --git a/client/am/console/src/main/resources/org/apache/syncope/client/console/panels/SRARouteFilterPanel_pt_BR.properties b/client/am/console/src/main/resources/org/apache/syncope/client/console/panels/SRARouteFilterPanel_pt_BR.properties
index bf63f31..8aff555 100644
--- a/client/am/console/src/main/resources/org/apache/syncope/client/console/panels/SRARouteFilterPanel_pt_BR.properties
+++ b/client/am/console/src/main/resources/org/apache/syncope/client/console/panels/SRARouteFilterPanel_pt_BR.properties
@@ -16,4 +16,4 @@
# under the License.
factory=Factory
args=Arguments
-factoryInfo.help=Check <a href="https://cloud.spring.io/spring-cloud-static/spring-cloud-gateway/${spring-cloud-gateway.version}/single/spring-cloud-gateway.html#_gatewayfilter_factories" target="blank">Spring Cloud Gateway documentation</a> for more information
+factoryInfo.help=Check <a href="https://docs.spring.io/spring-cloud-gateway/docs/current/reference/html/#gatewayfilter-factories" target="blank">Spring Cloud Gateway documentation</a> for more information
diff --git a/client/am/console/src/main/resources/org/apache/syncope/client/console/panels/SRARouteFilterPanel_ru.properties b/client/am/console/src/main/resources/org/apache/syncope/client/console/panels/SRARouteFilterPanel_ru.properties
index bf63f31..8aff555 100644
--- a/client/am/console/src/main/resources/org/apache/syncope/client/console/panels/SRARouteFilterPanel_ru.properties
+++ b/client/am/console/src/main/resources/org/apache/syncope/client/console/panels/SRARouteFilterPanel_ru.properties
@@ -16,4 +16,4 @@
# under the License.
factory=Factory
args=Arguments
-factoryInfo.help=Check <a href="https://cloud.spring.io/spring-cloud-static/spring-cloud-gateway/${spring-cloud-gateway.version}/single/spring-cloud-gateway.html#_gatewayfilter_factories" target="blank">Spring Cloud Gateway documentation</a> for more information
+factoryInfo.help=Check <a href="https://docs.spring.io/spring-cloud-gateway/docs/current/reference/html/#gatewayfilter-factories" target="blank">Spring Cloud Gateway documentation</a> for more information
diff --git a/client/am/console/src/main/resources/org/apache/syncope/client/console/panels/SRARoutePredicatePanel.properties b/client/am/console/src/main/resources/org/apache/syncope/client/console/panels/SRARoutePredicatePanel.properties
index 0bf3c9c..0301ef4 100644
--- a/client/am/console/src/main/resources/org/apache/syncope/client/console/panels/SRARoutePredicatePanel.properties
+++ b/client/am/console/src/main/resources/org/apache/syncope/client/console/panels/SRARoutePredicatePanel.properties
@@ -18,4 +18,4 @@ negate=Negate
factory=Factory
args=Arguments
cond=Condition
-factoryInfo.help=Check <a href="https://cloud.spring.io/spring-cloud-static/spring-cloud-gateway/${spring-cloud-gateway.version}/single/spring-cloud-gateway.html#gateway-request-predicates-factories" target="blank">Spring Cloud Gateway documentation</a> for more information
+factoryInfo.help=Check <a href="https://docs.spring.io/spring-cloud-gateway/docs/current/reference/html/#gateway-request-predicates-factories" target="blank">Spring Cloud Gateway documentation</a> for more information
diff --git a/client/am/console/src/main/resources/org/apache/syncope/client/console/panels/SRARoutePredicatePanel_it.properties b/client/am/console/src/main/resources/org/apache/syncope/client/console/panels/SRARoutePredicatePanel_it.properties
index ad9e360..c0d25e4 100644
--- a/client/am/console/src/main/resources/org/apache/syncope/client/console/panels/SRARoutePredicatePanel_it.properties
+++ b/client/am/console/src/main/resources/org/apache/syncope/client/console/panels/SRARoutePredicatePanel_it.properties
@@ -18,4 +18,4 @@ negate=Nega
factory=Factory
args=Argomenti
cond=Condizione
-factoryInfo.help=Consultare la <a href="https://cloud.spring.io/spring-cloud-static/spring-cloud-gateway/${spring-cloud-gateway.version}/single/spring-cloud-gateway.html#gateway-request-predicates-factories" target="blank">documentazione di Spring Cloud Gateway</a> per maggiori informazioni
+factoryInfo.help=Consultare la <a href="https://docs.spring.io/spring-cloud-gateway/docs/current/reference/html/#gateway-request-predicates-factories" target="blank">documentazione di Spring Cloud Gateway</a> per maggiori informazioni
diff --git a/client/am/console/src/main/resources/org/apache/syncope/client/console/panels/SRARoutePredicatePanel_ja.properties b/client/am/console/src/main/resources/org/apache/syncope/client/console/panels/SRARoutePredicatePanel_ja.properties
index 43c9839..2ab3174 100644
--- a/client/am/console/src/main/resources/org/apache/syncope/client/console/panels/SRARoutePredicatePanel_ja.properties
+++ b/client/am/console/src/main/resources/org/apache/syncope/client/console/panels/SRARoutePredicatePanel_ja.properties
@@ -18,4 +18,4 @@ negate=\u5426\u5b9a
factory=\u30d5\u30a1\u30af\u30c8\u30ea\u30fc
args=\u5f15\u6570
cond=\u6761\u4ef6
-factoryInfo.help=\u8a73\u7d30\u306f <a href="https://cloud.spring.io/spring-cloud-static/spring-cloud-gateway/${spring-cloud-gateway.version}/single/spring-cloud-gateway.html#gateway-request-predicates-factories" target="blank">Spring Cloud Gateway \u30c9\u30ad\u30e5\u30e1\u30f3\u30c8</a> \u3092\u3054\u89a7\u304f\u3060\u3055\u3044
+factoryInfo.help=\u8a73\u7d30\u306f <a href="https://docs.spring.io/spring-cloud-gateway/docs/current/reference/html/#gateway-request-predicates-factories" target="blank">Spring Cloud Gateway \u30c9\u30ad\u30e5\u30e1\u30f3\u30c8</a> \u3092\u3054\u89a7\u304f\u3060\u3055\u3044
diff --git a/client/am/console/src/main/resources/org/apache/syncope/client/console/panels/SRARoutePredicatePanel_pt_BR.properties b/client/am/console/src/main/resources/org/apache/syncope/client/console/panels/SRARoutePredicatePanel_pt_BR.properties
index 0bf3c9c..0301ef4 100644
--- a/client/am/console/src/main/resources/org/apache/syncope/client/console/panels/SRARoutePredicatePanel_pt_BR.properties
+++ b/client/am/console/src/main/resources/org/apache/syncope/client/console/panels/SRARoutePredicatePanel_pt_BR.properties
@@ -18,4 +18,4 @@ negate=Negate
factory=Factory
args=Arguments
cond=Condition
-factoryInfo.help=Check <a href="https://cloud.spring.io/spring-cloud-static/spring-cloud-gateway/${spring-cloud-gateway.version}/single/spring-cloud-gateway.html#gateway-request-predicates-factories" target="blank">Spring Cloud Gateway documentation</a> for more information
+factoryInfo.help=Check <a href="https://docs.spring.io/spring-cloud-gateway/docs/current/reference/html/#gateway-request-predicates-factories" target="blank">Spring Cloud Gateway documentation</a> for more information
diff --git a/client/am/console/src/main/resources/org/apache/syncope/client/console/panels/SRARoutePredicatePanel_ru.properties b/client/am/console/src/main/resources/org/apache/syncope/client/console/panels/SRARoutePredicatePanel_ru.properties
index 0bf3c9c..0301ef4 100644
--- a/client/am/console/src/main/resources/org/apache/syncope/client/console/panels/SRARoutePredicatePanel_ru.properties
+++ b/client/am/console/src/main/resources/org/apache/syncope/client/console/panels/SRARoutePredicatePanel_ru.properties
@@ -18,4 +18,4 @@ negate=Negate
factory=Factory
args=Arguments
cond=Condition
-factoryInfo.help=Check <a href="https://cloud.spring.io/spring-cloud-static/spring-cloud-gateway/${spring-cloud-gateway.version}/single/spring-cloud-gateway.html#gateway-request-predicates-factories" target="blank">Spring Cloud Gateway documentation</a> for more information
+factoryInfo.help=Check <a href="https://docs.spring.io/spring-cloud-gateway/docs/current/reference/html/#gateway-request-predicates-factories" target="blank">Spring Cloud Gateway documentation</a> for more information
diff --git a/core/persistence-jpa/src/main/java/org/apache/syncope/core/persistence/jpa/dao/AbstractAnyDAO.java b/core/persistence-jpa/src/main/java/org/apache/syncope/core/persistence/jpa/dao/AbstractAnyDAO.java
index 8ac8d40..3133c9e 100644
--- a/core/persistence-jpa/src/main/java/org/apache/syncope/core/persistence/jpa/dao/AbstractAnyDAO.java
+++ b/core/persistence-jpa/src/main/java/org/apache/syncope/core/persistence/jpa/dao/AbstractAnyDAO.java
@@ -18,6 +18,7 @@
*/
package org.apache.syncope.core.persistence.jpa.dao;
+import java.time.LocalDateTime;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Date;
@@ -146,8 +147,12 @@ public abstract class AbstractAnyDAO<A extends Any<?>> extends AbstractDAO<A> im
Date creationDate = null;
Date lastChangeDate = null;
if (!result.isEmpty()) {
- creationDate = (Date) result.get(0)[0];
- lastChangeDate = (Date) result.get(0)[1];
+ creationDate = result.get(0)[0] instanceof LocalDateTime
+ ? convert((LocalDateTime) result.get(0)[0])
+ : (Date) result.get(0)[0];
+ lastChangeDate = result.get(0)[1] instanceof LocalDateTime
+ ? convert((LocalDateTime) result.get(0)[1])
+ : (Date) result.get(0)[1];
}
return Optional.ofNullable(lastChangeDate).orElse(creationDate);
diff --git a/core/persistence-jpa/src/main/java/org/apache/syncope/core/persistence/jpa/dao/AbstractDAO.java b/core/persistence-jpa/src/main/java/org/apache/syncope/core/persistence/jpa/dao/AbstractDAO.java
index 4ad4d9c..7277a63 100644
--- a/core/persistence-jpa/src/main/java/org/apache/syncope/core/persistence/jpa/dao/AbstractDAO.java
+++ b/core/persistence-jpa/src/main/java/org/apache/syncope/core/persistence/jpa/dao/AbstractDAO.java
@@ -18,6 +18,9 @@
*/
package org.apache.syncope.core.persistence.jpa.dao;
+import java.time.LocalDateTime;
+import java.time.ZoneId;
+import java.util.Date;
import javax.persistence.EntityManager;
import org.apache.syncope.core.persistence.api.dao.DAO;
import org.apache.syncope.core.persistence.api.entity.Entity;
@@ -31,6 +34,10 @@ public abstract class AbstractDAO<E extends Entity> implements DAO<E> {
protected static final Logger LOG = LoggerFactory.getLogger(DAO.class);
+ protected Date convert(final LocalDateTime localDateTime) {
+ return Date.from(localDateTime.atZone(ZoneId.systemDefault()).toInstant());
+ }
+
protected EntityManager entityManager() {
EntityManager entityManager = EntityManagerFactoryUtils.getTransactionalEntityManager(
EntityManagerFactoryUtils.findEntityManagerFactory(
diff --git a/ext/flowable/client-console/src/main/resources/org/apache/syncope/client/console/panels/UserRequestsPanel.html b/ext/flowable/client-console/src/main/resources/org/apache/syncope/client/console/panels/UserRequestsPanel.html
index ec0a3f4..5a2444e 100644
--- a/ext/flowable/client-console/src/main/resources/org/apache/syncope/client/console/panels/UserRequestsPanel.html
+++ b/ext/flowable/client-console/src/main/resources/org/apache/syncope/client/console/panels/UserRequestsPanel.html
@@ -24,7 +24,7 @@ under the License.
<span wicket:id="filter">[FILTER]</span>
<span class="input-group-btn">
<button type="button" class="btn btn-default btn-flat" wicket:id="search">
- <span class="glyphicon glyphicon-search" aria-hidden="true"></span>
+ <span class="fas fa-search" aria-hidden="true"></span>
</button>
</span>
</div>
diff --git a/pom.xml b/pom.xml
index 7fb9832..88ff82a 100644
--- a/pom.xml
+++ b/pom.xml
@@ -509,11 +509,11 @@ under the License.
<docker.postgresql.version>14</docker.postgresql.version>
<docker.mysql.version>8.0</docker.mysql.version>
- <docker.mariadb.version>10.6</docker.mariadb.version>
+ <docker.mariadb.version>10</docker.mariadb.version>
- <jdbc.postgresql.version>42.2.24</jdbc.postgresql.version>
- <jdbc.mysql.version>8.0.22</jdbc.mysql.version>
- <jdbc.mariadb.version>2.7.3</jdbc.mariadb.version>
+ <jdbc.postgresql.version>42.3.1</jdbc.postgresql.version>
+ <jdbc.mysql.version>8.0.27</jdbc.mysql.version>
+ <jdbc.mariadb.version>2.7.4</jdbc.mariadb.version>
<jdbc.mssql.version>9.4.0.jre</jdbc.mssql.version>
<jdbc.oracle.version>21.3.0.0</jdbc.oracle.version>
diff --git a/src/main/asciidoc/getting-started/introduction.adoc b/src/main/asciidoc/getting-started/introduction.adoc
index 249eb3f..769f17f 100644
--- a/src/main/asciidoc/getting-started/introduction.adoc
+++ b/src/main/asciidoc/getting-started/introduction.adoc
@@ -22,20 +22,23 @@
*Apache Syncope* is an Open Source system for managing digital identities in enterprise environments, implemented in
Java EE technology and released under the Apache 2.0 license.
-Often, Identity Management and Access Management are jointly referred, mainly because their two management worlds likely
-coexist in the same project or in the same environment.
+Often, _Identity Management_ and _Access Management_ are jointly referred, mainly because their two management worlds
+likely coexist in the same project or in the same environment.
The two topics are however completely different: each one has its own context, its own rules, its own best practices.
-*Identity Management* (or IdM) consists of tools and practices to keep identity data consistent and synchronized across
-repositories, data formats and models.
+On the other hand, some products provide unorthodox implementations so it is indeed possible to do the same thing with
+both of them.
-*Access Management* (or AM) is about systems, protocols and technologies supporting user _authentication_
-(how users are let accessing a given system) and __authorization__ (which capabilities each user owns on a given system).
+****
+Identity Management:: Tools and practices to keep identity data consistent and synchronized across repositories, data
+formats and models.
+Access Management:: Systems, protocols and technologies supporting user authentication (how Users are let accessing a
+given system) and authorization (which capabilities each user owns on a given system).
+****
-From the definitions above, Identity Management and Access Management can be seen as complementary: very often, the
-data synchronized by the former are then used by the latter to provide its features - e.g. authentication and
-authorization.
+From the definitions above, Identity Management and Access Management can be seen as complementary: very often, the data
+synchronized by the former are then used by the latter to provide its features - e.g. authentication and authorization.
=== What is Identity Management, anyway?
@@ -79,7 +82,7 @@ Very often, SSO is achieved by implementing some of the most popular protocols a
https://en.wikipedia.org/wiki/Security_Assertion_Markup_Language[SAML^] and http://openid.net/connect/[OpenID Connect^].
Social login, designed to simplify logins, is a form of single sign-on using existing information from a social
-networking service to sign into a third party website instead of creating a new login account specifically for that
+networking service to sign into a third-party website instead of creating a new login account specifically for that
website.
=== Identity and Access Management - Reference Scenario
diff --git a/src/main/asciidoc/images/accessibility-console01.png b/src/main/asciidoc/images/accessibility-console01.png
index be7cf54..1efaa08 100644
Binary files a/src/main/asciidoc/images/accessibility-console01.png and b/src/main/asciidoc/images/accessibility-console01.png differ
diff --git a/src/main/asciidoc/images/accessibility-enduser01.png b/src/main/asciidoc/images/accessibility-enduser01.png
index 5ed2303..37d7d52 100644
Binary files a/src/main/asciidoc/images/accessibility-enduser01.png and b/src/main/asciidoc/images/accessibility-enduser01.png differ
diff --git a/src/main/asciidoc/images/approval1.png b/src/main/asciidoc/images/approval1.png
index d667fc6..148fb85 100644
Binary files a/src/main/asciidoc/images/approval1.png and b/src/main/asciidoc/images/approval1.png differ
diff --git a/src/main/asciidoc/images/approval2.png b/src/main/asciidoc/images/approval2.png
index 64e82aa..75e0659 100644
Binary files a/src/main/asciidoc/images/approval2.png and b/src/main/asciidoc/images/approval2.png differ
diff --git a/src/main/asciidoc/images/approval3.png b/src/main/asciidoc/images/approval3.png
index f27f50d..46f7d88 100644
Binary files a/src/main/asciidoc/images/approval3.png and b/src/main/asciidoc/images/approval3.png differ
diff --git a/src/main/asciidoc/images/approval4.png b/src/main/asciidoc/images/approval4.png
index 6fbce13..ae1b949 100644
Binary files a/src/main/asciidoc/images/approval4.png and b/src/main/asciidoc/images/approval4.png differ
diff --git a/src/main/asciidoc/images/approval5.png b/src/main/asciidoc/images/approval5.png
index d5edd63..6a735b9 100644
Binary files a/src/main/asciidoc/images/approval5.png and b/src/main/asciidoc/images/approval5.png differ
diff --git a/src/main/asciidoc/images/approval6.png b/src/main/asciidoc/images/approval6.png
index 69ed6f4..4517940 100644
Binary files a/src/main/asciidoc/images/approval6.png and b/src/main/asciidoc/images/approval6.png differ
diff --git a/src/main/asciidoc/images/architecture.png b/src/main/asciidoc/images/architecture.png
index 35b6b92..f018623 100644
Binary files a/src/main/asciidoc/images/architecture.png and b/src/main/asciidoc/images/architecture.png differ
diff --git a/src/main/asciidoc/images/architecture.xml b/src/main/asciidoc/images/architecture.xml
index 4baab3c..8706672 100644
--- a/src/main/asciidoc/images/architecture.xml
+++ b/src/main/asciidoc/images/architecture.xml
@@ -17,4 +17,4 @@ KIND, either express or implied. See the License for the
specific language governing permissions and limitations
under the License.
-->
-<mxfile modified="2021-11-19T16:26:40.712Z" host="app.diagrams.net" agent="5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36" etag="TpRqIwXl23oWXvRkSgJr" version="15.8.2" type="device"><diagram id="0" name="Page-1">5L3XsuPIlQX6NXrUBEn4R3hHeI+XG/CGILz/+ovkqZK6ukozGqlbcyNuRZw4RALM3Llzm7V2Jk79BaLfOz9Gfal0adb85XFL979AzF8ejzuGQtcv0HJ8a8ER4qulGKv0W9vfG6zqzL413r61LlWaTT88OHddM1f9j41J17ZZMv/QFo1jt/34WN41P47aR0X2U4OVRM3PrV6VzuVXK/5A/94uZFVRfh/5jn6bXx [...]
+<mxfile modified="2021-11-22T10:37:23.535Z" host="app.diagrams.net" agent="5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36" etag="x5Fk0vYzcer6K_JiLQts" version="15.8.3" type="device"><diagram id="0" name="Page-1">5LzZkuPIkQX6NXrUGEnsj9g3Yt/xcg37QhD7/vUXwaySurpqJI2mW3PNbpqlJREAAwGP4+7neATyLxD93vkx6kulS7PmL49buv8FYv7yeNwxBLr+gJbjWwt+R75airFKv7X9vcGqzuxb4+1b61Kl2fTDhXPXNXPV/9iYdG2bJfMPbdE4dtuPl+Vd8+Nd+6jIfmqwkqj5udWr0rn8asUf6N/bhawqyu93vqPE15 [...]
diff --git a/src/main/asciidoc/images/consoleDashboard.png b/src/main/asciidoc/images/consoleDashboard.png
index 11453f4..a77d9ea 100644
Binary files a/src/main/asciidoc/images/consoleDashboard.png and b/src/main/asciidoc/images/consoleDashboard.png differ
diff --git a/src/main/asciidoc/images/consoleLogin.png b/src/main/asciidoc/images/consoleLogin.png
index b36d03a..39baf8e 100644
Binary files a/src/main/asciidoc/images/consoleLogin.png and b/src/main/asciidoc/images/consoleLogin.png differ
diff --git a/src/main/asciidoc/images/consoleReports.png b/src/main/asciidoc/images/consoleReports.png
index 93b0ebc..3a74c79 100644
Binary files a/src/main/asciidoc/images/consoleReports.png and b/src/main/asciidoc/images/consoleReports.png differ
diff --git a/src/main/asciidoc/images/enduserHome.png b/src/main/asciidoc/images/enduserHome.png
new file mode 100644
index 0000000..d3200d5
Binary files /dev/null and b/src/main/asciidoc/images/enduserHome.png differ
diff --git a/src/main/asciidoc/images/enduserLogin.png b/src/main/asciidoc/images/enduserLogin.png
index 0429d26..c5c26c5 100644
Binary files a/src/main/asciidoc/images/enduserLogin.png and b/src/main/asciidoc/images/enduserLogin.png differ
diff --git a/src/main/asciidoc/images/enduser_userrequests_none.png b/src/main/asciidoc/images/enduser_userrequests_none.png
new file mode 100644
index 0000000..7f06040
Binary files /dev/null and b/src/main/asciidoc/images/enduser_userrequests_none.png differ
diff --git a/src/main/asciidoc/images/enduser_userrequests_start.png b/src/main/asciidoc/images/enduser_userrequests_start.png
new file mode 100644
index 0000000..044c969
Binary files /dev/null and b/src/main/asciidoc/images/enduser_userrequests_start.png differ
diff --git a/src/main/asciidoc/images/enduser_userrequests_started.png b/src/main/asciidoc/images/enduser_userrequests_started.png
new file mode 100644
index 0000000..5329f22
Binary files /dev/null and b/src/main/asciidoc/images/enduser_userrequests_started.png differ
diff --git a/src/main/asciidoc/images/iam-scenario.png b/src/main/asciidoc/images/iam-scenario.png
index 9aa185e..cd40fab 100644
Binary files a/src/main/asciidoc/images/iam-scenario.png and b/src/main/asciidoc/images/iam-scenario.png differ
diff --git a/src/main/asciidoc/images/iam-scenario.xml b/src/main/asciidoc/images/iam-scenario.xml
index cf1a0d3..78819d0 100644
--- a/src/main/asciidoc/images/iam-scenario.xml
+++ b/src/main/asciidoc/images/iam-scenario.xml
@@ -17,4 +17,4 @@ KIND, either express or implied. See the License for the
specific language governing permissions and limitations
under the License.
-->
-<mxfile host="app.diagrams.net" modified="2021-11-19T15:18:08.444Z" agent="5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36" version="15.8.2" etag="_I0Xl2ia8F_qiptCvOXk" type="device"><diagram id="0" name="Page-1">7Vxbc5s4FP41ebSHO/jRubY7zTatO9v2KSNjxdYGEAtyY/fXrwQSBiQ7tgET7yaTTOAghPyd71x0JHxhXoWruwTEi3s8g8GFoc1WF+b1hWHormPSf0yyziXOSMsF8wTNeKONYIJ+Qy4UzZZoBtNKQ4JxQFBcFfo4iqBPKjKQJPil2uwJB9WnxmAOJcHEB4Es/Y5mZJFLPcPZyD9ANF+IJ+vOKL8yBf7zPMHLiD [...]
+<mxfile host="app.diagrams.net" modified="2021-11-25T10:25:51.318Z" agent="5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36" etag="-9kFWVWhYzqxN2HsjZII" version="15.8.6" type="device"><diagram id="0" name="Page-1">7Vxbc5s4FP41ebSHO/jRubY7zTatO9v2KYOxYmsDiBVyY/fXrwQSBkQINrekbSaZwEEI8Z3vXHTjTL8IdjfYjTa3aAX8M01Z7c70yzNNU23Lov+YZJ9KLMtJBWsMV7zQQbCAPwEXKly6hSsQFwoShHwCo6LQQ2EIPFKQuRijp2KxB+QXnxq5ayAJFp7ry9KvcEU2qdTRrIP8HYDrjXiyas3SK0vXe1xjtA3588 [...]
diff --git a/src/main/asciidoc/images/keymaster_domains.png b/src/main/asciidoc/images/keymaster_domains.png
new file mode 100644
index 0000000..a56ea95
Binary files /dev/null and b/src/main/asciidoc/images/keymaster_domains.png differ
diff --git a/src/main/asciidoc/images/keymaster_networkservices.png b/src/main/asciidoc/images/keymaster_networkservices.png
new file mode 100644
index 0000000..80e14bd
Binary files /dev/null and b/src/main/asciidoc/images/keymaster_networkservices.png differ
diff --git a/src/main/asciidoc/images/keymaster_parameters.png b/src/main/asciidoc/images/keymaster_parameters.png
new file mode 100644
index 0000000..337a5cc
Binary files /dev/null and b/src/main/asciidoc/images/keymaster_parameters.png differ
diff --git a/src/main/asciidoc/images/passwordreset.png b/src/main/asciidoc/images/passwordreset.png
new file mode 100644
index 0000000..88c8368
Binary files /dev/null and b/src/main/asciidoc/images/passwordreset.png differ
diff --git a/src/main/asciidoc/images/realmsUser.png b/src/main/asciidoc/images/realmsUser.png
index f3f01ca..bbfc67e 100644
Binary files a/src/main/asciidoc/images/realmsUser.png and b/src/main/asciidoc/images/realmsUser.png differ
diff --git a/ext/flowable/client-console/src/main/resources/org/apache/syncope/client/console/panels/UserRequestsPanel.html b/src/main/asciidoc/images/sra-request.plantuml
similarity index 53%
copy from ext/flowable/client-console/src/main/resources/org/apache/syncope/client/console/panels/UserRequestsPanel.html
copy to src/main/asciidoc/images/sra-request.plantuml
index ec0a3f4..5a6a36e 100644
--- a/ext/flowable/client-console/src/main/resources/org/apache/syncope/client/console/panels/UserRequestsPanel.html
+++ b/src/main/asciidoc/images/sra-request.plantuml
@@ -1,4 +1,4 @@
-<!--
+/'
Licensed to the Apache Software Foundation (ASF) under one
or more contributor license agreements. See the NOTICE file
distributed with this work for additional information
@@ -15,22 +15,26 @@ software distributed under the License is distributed on an
KIND, either express or implied. See the License for the
specific language governing permissions and limitations
under the License.
--->
-<html xmlns="http://www.w3.org/1999/xhtml" xmlns:wicket="http://wicket.apache.org">
- <wicket:panel>
- <div wicket:id="searchBox">
- <form wicket:id="form">
- <div class="input-group margin-bottom">
- <span wicket:id="filter">[FILTER]</span>
- <span class="input-group-btn">
- <button type="button" class="btn btn-default btn-flat" wicket:id="search">
- <span class="glyphicon glyphicon-search" aria-hidden="true"></span>
- </button>
- </span>
- </div>
- </form>
- </div>
+'/
- <span wicket:id="inner"/>
- </wicket:panel>
-</html>
+@startuml
+actor "User" as user
+participant "WA" as wa
+participant "SRA" as sra
+participant "Target Site" as target
+
+user --> sra : request
+sra --> sra : find matching route
+sra --> sra : matching route found: PROTECTED
+sra --> user: authentication required
+
+user --> wa : authentication credentials
+wa --> user : authentication successful, redirect to original request
+
+user --> sra : authenticated request
+sra --> sra : applying configured filters before sending request downstream
+sra --> target : downstream request
+target --> sra : downsream response
+sra --> sra : applying configured filters before sending response back
+sra --> user: response
+@enduml
diff --git a/src/main/asciidoc/images/sra-request.png b/src/main/asciidoc/images/sra-request.png
new file mode 100644
index 0000000..ece0e9e
Binary files /dev/null and b/src/main/asciidoc/images/sra-request.png differ
diff --git a/src/main/asciidoc/images/sra.png b/src/main/asciidoc/images/sra.png
new file mode 100644
index 0000000..cbc9bbb
Binary files /dev/null and b/src/main/asciidoc/images/sra.png differ
diff --git a/src/main/asciidoc/images/wa.png b/src/main/asciidoc/images/wa.png
new file mode 100644
index 0000000..5853ee0
Binary files /dev/null and b/src/main/asciidoc/images/wa.png differ
diff --git a/src/main/asciidoc/reference-guide/architecture/architecture.adoc b/src/main/asciidoc/reference-guide/architecture/architecture.adoc
index 1a45d52..1ecbcd4 100644
--- a/src/main/asciidoc/reference-guide/architecture/architecture.adoc
+++ b/src/main/asciidoc/reference-guide/architecture/architecture.adoc
@@ -24,171 +24,59 @@ Apache Syncope is made of several components, which are logically summarized in
[.text-center]
image::architecture.png[title="Architecture",alt="Architecture"]
-include::core.adoc[]
+=== Keymaster
-[[admin-console-component]]
-=== Admin UI
+The *_Keymaster_* allows for dynamic service discovery so that other components are able to find each other. +
+On startup, all other component instances will register themselves into Keymaster so that their references
+can be found later, for intra-component communication.
-The Admin UI is the web-based console for configuring and administering running deployments, with full support
-for delegated administration.
+In addition, the Keymaster is also used as key / value store for <<configuration-parameters, configuration parameters>>
+and as a directory for defined <<domains,domains>>.
-The communication between Admin UI and Core is exclusively REST-based.
+Two different implementations are provided, following the actual needs:
-More details are available in the dedicated <<admin-console,usage>> section.
+. as an additional set of RESTful services exposed by the Core, for traditional deployments
+(also known as _Self Keymaster_);
+. as a separate container / pod based on https://zookeeper.apache.org/[Apache Zookeeper^], for microservice-oriented
+deployments.
-[[admin-console-accessibility]]
-==== Accessibility
-
-The Admin Console UI is accessible to the visually impaired.
-
-Two icons are present in the main login page and in the menu on the right:
-
-[.text-center]
-image::accessibility-console01.png[title="Admin Console accessibility buttons",alt="Admin Console accessibility buttons"]
+include::core.adoc[]
-By clicking the top right corner icon image:accessibility-icon01.png[Accessibility HC mode,30,30] it is possible to
-toggle the "High contrast mode".
-In this mode, the website colors are switched to a higher contrast color schema.
+=== Web Access
-[TIP]
-====
-The `H` https://developer.mozilla.org/en-US/docs/Web/HTML/Global_attributes/accesskey[accesskey^] shortcut can
-be used to easily toggle "High contrast mode" by using the keyboard.
+The *_Web Access_* component is based on https://apereo.github.io/cas/[Apereo CAS^].
-E.g.
-|===
-|Shortcut |Purpose
+In addition to all the configuration options and features from Apereo CAS, the Web Access is integrated with Keymaster,
+Core and Admin UI to offer centralized configuration and management.
-|`Alt` + `Shift` + `H`
-|Toggle "High contrast mode" on Firefox and Chrome browsers on Linux
-|===
+=== Secure Remote Access
-====
+The *_Secure Remote Access_* component is built on https://spring.io/projects/spring-cloud-gateway[Spring Cloud Gateway^].
-By clicking the second icon image:accessibility-icon02.png[Accessibility Increased Font mode,30,30] it is possible
-to toggle the "Increased font mode".
-In this mode, the website font size is increased.
+In addition to all the configuration options and features from Spring Cloud Gateway, theSecure Remote Access is
+integrated with Keymaster, Core and Admin UI to offer centralized configuration and management.
-[TIP]
-====
-The `F` https://developer.mozilla.org/en-US/docs/Web/HTML/Global_attributes/accesskey[accesskey^] shortcut can
-be used to easily toggle "Increased font mode" by using the keyboard.
+The Secure Remote Access allows to protect legacy applications by integrating with the Web Access or other third-party
+Access Managers implementing standard protocols as OpenID Connect or SAML.
-E.g.
-|===
-|Shortcut |Purpose
+[[admin-console-component]]
+=== Admin UI
-|`Alt` + `Shift` + `F`
-|Toggle "Increased font mode" on Firefox and Chrome browsers on Linux
-|===
+The *_Admin UI_* is the web-based console for configuring and administering running deployments, with full support
+for delegated administration.
-====
+The communication between Admin UI and Core is exclusively REST-based.
-To reset to the default mode, it is enough to click again on the specific icon.
+More details are available in the dedicated <<admin-console,usage>> section.
[[enduser-component]]
=== End-user UI
-The End-user UI is the web-based application for self-registration, self-service and <<password-reset,password reset>>.
+The *_End-user UI_* is the web-based application for self-registration, self-service and <<password-reset,password reset>>.
The communication between End-user UI and Core is exclusively REST-based.
-==== Password Reset
-
-When users lost their password, a feature is available to help gaining back access to Apache Syncope: password reset.
-
-The process can be outlined as follows:
-
-. user asks for password reset, typically via end-user
-. user is asked to provide an answer to the security question that was selected during self-registration or self-update
-. if the expected answer is provided, a unique token with time-constrained validity is internally generated and an
-e-mail is sent to the configured address for the user with a link - again, typically to the
-end-user - containing such token value
-. user clicks on the received link and provides new password value, typically via end-user
-. user receives confirmation via e-mail
-
-[WARNING]
-====
-The outlined procedure requires a working <<e-mail-configuration,e-mail configuration>>.
-
-In particular:
-
-* the first e-mail is generated from the `requestPasswordReset` <<notification-templates, notification template>>:
-hence, the token-based access link to the end-user is managed there;
-* the second e-mail is generated from the `confirmPasswordReset` <<notification-templates, notification template>>.
-====
-
-[TIP]
-====
-The process above requires the availability of <<console-configuration-security-questions,security questions>> that
-users can pick up and provide answers for.
-
-The usage of security questions can be however disabled by setting the `passwordReset.securityQuestion` value - see
-<<configuration-parameters, below>> for details.
-====
-
-[[password-reset-no-security-answer]]
-[WARNING]
-====
-Once provided via Enduser Application, the answers to security questions are *never* reported, neither via REST or Admin UI to
-administrators, nor to end-users via Enduser Application.
-
-This to avoid any information disclosure which can potentially lead attackers to reset other users' passwords.
-====
-
-[NOTE]
-In addition to the password reset feature, administrators can set a flag on a given user so that he / she is forced to
-update their password value at next login.
-
-[[enduser-accessibility]]
-==== Accessibility
-
-The End-user UI is accessible to the visually impaired.
-
-Two icons are present in the main page, in the right corner:
-
-[.text-center]
-image::accessibility-enduser01.png[title="Enduser accessibility icons",alt="Enduser accessibility icons"]
-
-By clicking the top right corner icon image:accessibility-icon01.png[Accessibility HC mode,30,30] it is possible to
-toggle the "High contrast mode".
-In this mode, the website colors are switched to a higher contrast color schema.
-
-[TIP]
-====
-The `H` https://developer.mozilla.org/en-US/docs/Web/HTML/Global_attributes/accesskey[accesskey^] shortcut can
-be used to easily toggle "High contrast mode" by using the keyboard.
-
-E.g.
-|===
-|Shortcut |Purpose
-
-|`Alt` + `Shift` + `H`
-|Toggle "High contrast mode" on Firefox and Chrome browsers on Linux
-|===
-
-====
-
-By clicking the second icon image:accessibility-icon02.png[Accessibility Increased Font mode,30,30] it is possible
-to toggle the "Increased font mode".
-In this mode, the website font size is increased.
-
-[TIP]
-====
-The `F` https://developer.mozilla.org/en-US/docs/Web/HTML/Global_attributes/accesskey[accesskey^] shortcut can
-be used to easily toggle "Increased font mode" by using the keyboard.
-
-E.g.
-|===
-|Shortcut |Purpose
-
-|`Alt` + `Shift` + `F`
-|Toggle "Increased font mode" on Firefox and Chrome browsers on Linux
-|===
-
-====
-
-To reset to the default mode, it is enough to click again on the specific icon.
+More details are available in the dedicated <<enduser-application,usage>> section.
=== Third Party Applications
diff --git a/src/main/asciidoc/reference-guide/architecture/core.adoc b/src/main/asciidoc/reference-guide/architecture/core.adoc
index ba254a5..f2feabe 100644
--- a/src/main/asciidoc/reference-guide/architecture/core.adoc
+++ b/src/main/asciidoc/reference-guide/architecture/core.adoc
@@ -18,7 +18,7 @@
//
=== Core
-All the services provided by Apache Syncope are defined, elaborated and served by the *_Core_*.
+The *_Core_* is the component providing IdM services and acting as central repository for other components' configuration.
The Core is internally further structured into several layers, each one taking care of specific aspects of the identity
management services.
@@ -40,9 +40,9 @@ More details are available in the dedicated <<restful-services,usage>> section.
==== Logic
-Right below the external interface level, the overall business logic is responsible for orchestrating the other layers, by implementing
-the operations that can be triggered via REST services. It is also responsible for controlling some additional features (notifications,
-reports and auditing).
+Right below the external interface level, the overall business logic is responsible for orchestrating the other layers,
+by implementing the operations that can be triggered via REST services. It is also responsible for controlling some
+additional features (notifications, reports and auditing).
[[provisioning-layer]]
==== Provisioning
@@ -87,7 +87,7 @@ All data (users, groups, attributes, resources, ...) is internally managed at a
https://en.wikipedia.org/wiki/Java_Persistence_API[JPA 2.2^] approach based on http://openjpa.apache.org[Apache OpenJPA^].
The data is persisted into an underlying
database, referred to as *_Internal Storage_*. Consistency is ensured via the comprehensive
-https://docs.spring.io/spring/docs/5.1.x/spring-framework-reference/data-access.html#transaction[transaction management^]
+https://docs.spring.io/spring-framework/docs/5.3.x/reference/html/data-access.html#transaction[transaction management^]
provided by the Spring Framework.
Globally, this offers the ability to easily scale up to a million entities and at the same time allows great portability
diff --git a/src/main/asciidoc/reference-guide/concepts/audit.adoc b/src/main/asciidoc/reference-guide/concepts/audit.adoc
index 5bbaaae..2e65916 100644
--- a/src/main/asciidoc/reference-guide/concepts/audit.adoc
+++ b/src/main/asciidoc/reference-guide/concepts/audit.adoc
@@ -43,10 +43,10 @@ transformation (rewrite), to files, queues, sockets, syslog, etc.
Custom implementations must follow the
ifeval::["{snapshotOrRelease}" == "release"]
-https://github.com/apache/syncope/blob/syncope-{docVersion}/core/logic/src/main/java/org/apache/syncope/core/logic/audit/AuditAppender.java[AuditAppender^]
+https://github.com/apache/syncope/blob/syncope-{docVersion}/core/idrepo/logic/src/main/java/org/apache/syncope/core/logic/audit/AuditAppender.java[AuditAppender^]
endif::[]
ifeval::["{snapshotOrRelease}" == "snapshot"]
-https://github.com/apache/syncope/blob/master/core/logic/src/main/java/org/apache/syncope/core/logic/audit/AuditAppender.java[AuditAppender^]
+https://github.com/apache/syncope/blob/master/core/idrepo/logic/src/main/java/org/apache/syncope/core/logic/audit/AuditAppender.java[AuditAppender^]
endif::[]
interface.
@@ -57,10 +57,10 @@ Some convenience implementations are provided, meant to serve as reference - see
|
ifeval::["{snapshotOrRelease}" == "release"]
-https://github.com/apache/syncope/blob/syncope-{docVersion}/core/logic/src/main/java/org/apache/syncope/core/logic/audit/DefaultAuditAppender.java[DefaultAuditAppender^]
+https://github.com/apache/syncope/blob/syncope-{docVersion}/core/idrepo/logic/src/main/java/org/apache/syncope/core/logic/audit/DefaultAuditAppender.java[DefaultAuditAppender^]
endif::[]
ifeval::["{snapshotOrRelease}" == "snapshot"]
-https://github.com/apache/syncope/blob/master/core/logic/src/main/java/org/apache/syncope/core/logic/audit/DefaultAuditAppender.java[DefaultAuditAppender^]
+https://github.com/apache/syncope/blob/master/core/idrepo/logic/src/main/java/org/apache/syncope/core/logic/audit/DefaultAuditAppender.java[DefaultAuditAppender^]
endif::[]
| This requires to specify (a) a set of events to which the appender is bound (log only if one of such events occurs)
and (b) a target appender, e.g. one of https://logging.apache.org/log4j/2.x/manual/appenders.html[Apache Log4j 2 Appenders^]
@@ -68,10 +68,10 @@ or a custom implementation.
|
ifeval::["{snapshotOrRelease}" == "release"]
-https://github.com/apache/syncope/blob/syncope-{docVersion}/core/logic/src/main/java/org/apache/syncope/core/logic/audit/DefaultRewriteAuditAppender.java[DefaultRewriteAuditAppender^]
+https://github.com/apache/syncope/blob/syncope-{docVersion}/core/idrepo/logic/src/main/java/org/apache/syncope/core/logic/audit/DefaultRewriteAuditAppender.java[DefaultRewriteAuditAppender^]
endif::[]
ifeval::["{snapshotOrRelease}" == "snapshot"]
-https://github.com/apache/syncope/blob/master/core/logic/src/main/java/org/apache/syncope/core/logic/audit/DefaultRewriteAuditAppender.java[DefaultRewriteAuditAppender^]
+https://github.com/apache/syncope/blob/master/core/idrepo/logic/src/main/java/org/apache/syncope/core/logic/audit/DefaultRewriteAuditAppender.java[DefaultRewriteAuditAppender^]
endif::[]
| In addition, this requires to provide a
https://logging.apache.org/log4j/2.x/log4j-core/apidocs/org/apache/logging/log4j/core/appender/rewrite/RewritePolicy.html[RewritePolicy^]
diff --git a/src/main/asciidoc/reference-guide/concepts/authenticationmodules.adoc b/src/main/asciidoc/reference-guide/concepts/authenticationmodules.adoc
new file mode 100644
index 0000000..cda13af
--- /dev/null
+++ b/src/main/asciidoc/reference-guide/concepts/authenticationmodules.adoc
@@ -0,0 +1,61 @@
+//
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements. See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership. The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License. You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied. See the License for the
+// specific language governing permissions and limitations
+// under the License.
+//
+=== Authentication Modules
+
+Authentication Modules allow to specify how <<web-access,WA>> shall check the provided credentials against specific
+technology or repository, in the context of a certain <<policies-authentication,Authentication Policy>>.
+
+Several authentication modules are provided:
+
+* Principal Authentication:
+ ** https://apereo.github.io/cas/6.4.x/authentication/Database-Authentication.html[Database^]
+ ** https://apereo.github.io/cas/6.4.x/authentication/JAAS-Authentication.html[JAAS^]
+ ** https://apereo.github.io/cas/6.4.x/authentication/LDAP-Authentication.html[LDAP^]
+ ** https://apereo.github.io/cas/6.4.x/integration/Delegate-Authentication.html[OpenID Connect^]
+ ** https://apereo.github.io/cas/6.4.x/mfa/RADIUS-Authentication.html[Radius^]
+ ** https://apereo.github.io/cas/6.4.x/authentication/Syncope-Authentication.html[Static^]
+ ** https://apereo.github.io/cas/6.4.x/authentication/Syncope-Authentication.html[Syncope^]
+ ** https://apereo.github.io/cas/6.4.x/integration/Delegate-Authentication.html[SAML^]
+* MFA:
+ ** https://apereo.github.io/cas/6.4.x/mfa/DuoSecurity-Authentication.html[Duo Security^]
+ ** https://apereo.github.io/cas/6.4.x/mfa/FIDO-U2F-Authentication.html[Fido U2F^]
+ ** https://apereo.github.io/cas/6.4.x/mfa/GoogleAuthenticator-Authentication.html[Google Authenticator^]
+
+[TIP]
+====
+Custom authentication modules can be provided by implementing the
+ifeval::["{snapshotOrRelease}" == "release"]
+https://github.com/apache/syncope/blob/syncope-{docVersion}/common/am/lib/src/main/java/org/apache/syncope/common/lib/auth/AuthModuleConf.java[AuthModuleConf^]
+endif::[]
+ifeval::["{snapshotOrRelease}" == "snapshot"]
+https://github.com/apache/syncope/blob/master/common/am/lib/src/main/java/org/apache/syncope/common/lib/auth/AuthModuleConf.java[AuthModuleConf^]
+endif::[]
+interface and extending appropriately the
+ifeval::["{snapshotOrRelease}" == "release"]
+https://github.com/apache/syncope/blob/syncope-{docVersion}/wa/bootstrap/src/main/java/org/apache/syncope/wa/bootstrap/SyncopeWAPropertySourceLocator.java[SyncopeWAPropertySourceLocator^]
+endif::[]
+ifeval::["{snapshotOrRelease}" == "snapshot"]
+https://github.com/apache/syncope/blob/master/wa/bootstrap/src/main/java/org/apache/syncope/wa/bootstrap/SyncopeWAPropertySourceLocator.java[SyncopeWAPropertySourceLocator^]
+endif::[]
+class.
+====
+
+[NOTE]
+Authentication Modules are dynamically translated into
+https://apereo.github.io/cas/6.4.x/authentication/Configuring-Authentication-Components.html#authentication-handlers[CAS Authentication Handlers^].
diff --git a/src/main/asciidoc/reference-guide/concepts/clientapplications.adoc b/src/main/asciidoc/reference-guide/concepts/clientapplications.adoc
new file mode 100644
index 0000000..4148456
--- /dev/null
+++ b/src/main/asciidoc/reference-guide/concepts/clientapplications.adoc
@@ -0,0 +1,44 @@
+//
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements. See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership. The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License. You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied. See the License for the
+// specific language governing permissions and limitations
+// under the License.
+//
+=== Client Applications
+
+Client Applications represent web applications (including <<secure-remote-access,SRA>>) allowed to integrate with
+<<web-access,WA>>.
+
+Depending on the communication protocol, the following client applications are supported:
+
+* OpenID Connect Relying Party
+* SAML 2.0 Service Provider
+* CAS Service
+
+When defining a client application, the following parameters shall be specified:
+
+. id - unique number identifier of the current client application
+. name - regular expression to match requests
+. description - optional textual description
+. <<policies-authentication,authentication policy>>
+. <<policies-access,access policy>>
+. <<policies-attribute-release,attribute release policy>>
+. additional properties
+
+More parameters are required to be specified depending on the actual client application type.
+
+[NOTE]
+Client Applications are dynamically translated into
+https://apereo.github.io/cas/6.4.x/services/Service-Management.html[CAS Services^].
diff --git a/src/main/asciidoc/reference-guide/concepts/concepts.adoc b/src/main/asciidoc/reference-guide/concepts/concepts.adoc
index a4c1fd8..ed09b9d 100644
--- a/src/main/asciidoc/reference-guide/concepts/concepts.adoc
+++ b/src/main/asciidoc/reference-guide/concepts/concepts.adoc
@@ -46,6 +46,12 @@ include::reports.adoc[]
include::audit.adoc[]
+include::routes.adoc[]
+
+include::authenticationmodules.adoc[]
+
+include::clientapplications.adoc[]
+
include::domains.adoc[]
include::implementations.adoc[]
diff --git a/src/main/asciidoc/reference-guide/concepts/domains.adoc b/src/main/asciidoc/reference-guide/concepts/domains.adoc
index 9ffdbd3..065b2b7 100644
--- a/src/main/asciidoc/reference-guide/concepts/domains.adoc
+++ b/src/main/asciidoc/reference-guide/concepts/domains.adoc
@@ -22,7 +22,7 @@ Domains are built to facilitate https://en.wikipedia.org/wiki/Multitenancy[multi
Domains allow the physical separation of all data managed by Apache Syncope, by storing the data for different domains
into different database instances. Therefore, Apache Syncope can facilitate Users, Groups, Any Objects,
-External Resources, Policies, Tasks, etc. from different domains (e.g. tenants) in a single <<core,core>> instance.
+External Resources, Policies, Tasks, etc. from different domains (e.g. tenants) in a single <<core>> instance.
By default, a single `Master` domain is defined, which also bears the configuration for additional domains.
diff --git a/src/main/asciidoc/reference-guide/concepts/entitlements.adoc b/src/main/asciidoc/reference-guide/concepts/entitlements.adoc
index abc7135..df65dc9 100644
--- a/src/main/asciidoc/reference-guide/concepts/entitlements.adoc
+++ b/src/main/asciidoc/reference-guide/concepts/entitlements.adoc
@@ -21,7 +21,7 @@
Entitlements are basically strings describing the right to perform an operation on Syncope.
The components in the <<logic,logic layer>> are annotated with
-http://projects.spring.io/spring-security/[Spring Security^] to implement declarative security; in the following
+https://spring.io/projects/spring-security[Spring Security^] to implement declarative security; in the following
code snippet taken from
ifeval::["{snapshotOrRelease}" == "release"]
https://github.com/apache/syncope/blob/syncope-{docVersion}/core/logic/src/main/java/org/apache/syncope/core/logic/RealmLogic.java[RealmLogic^]
@@ -30,7 +30,7 @@ ifeval::["{snapshotOrRelease}" == "snapshot"]
https://github.com/apache/syncope/blob/master/core/logic/src/main/java/org/apache/syncope/core/logic/RealmLogic.java[RealmLogic^]
endif::[]
, the
-http://docs.spring.io/spring-security/site/docs/5.1.x/reference/htmlsingle/#el-common-built-in[`hasRole` expression^]
+https://docs.spring.io/spring-security/site/docs/5.5.x/reference/html5/#el-common-built-in[`hasRole` expression^]
is used together with one of the standard entitlements to restrict access only to Users owning the `REALM_LIST`
entitlement.
@@ -47,10 +47,10 @@ Entitlements are granted via <<roles, roles>> to Users, scoped under certain <<r
====
The set of available entitlements is
ifeval::["{snapshotOrRelease}" == "release"]
-https://github.com/apache/syncope/blob/syncope-{docVersion}/common/lib/src/main/java/org/apache/syncope/common/lib/types/StandardEntitlement.java[statically defined^]
+https://github.com/apache/syncope/blob/syncope-{docVersion}/common/idrepo/lib/src/main/java/org/apache/syncope/common/lib/types/IdRepoEntitlement.java[statically defined^]
endif::[]
ifeval::["{snapshotOrRelease}" == "snapshot"]
-https://github.com/apache/syncope/blob/master/common/lib/src/main/java/org/apache/syncope/common/lib/types/StandardEntitlement.java[statically defined^]
+https://github.com/apache/syncope/blob/master/common/idrepo/lib/src/main/java/org/apache/syncope/common/lib/types/IdRepoEntitlement.java[statically defined^]
endif::[]
- even though <<extensions,extensions>> have the ability to
ifeval::["{snapshotOrRelease}" == "release"]
diff --git a/src/main/asciidoc/reference-guide/concepts/extensions.adoc b/src/main/asciidoc/reference-guide/concepts/extensions.adoc
index 345fde1..c9a4c9a 100644
--- a/src/main/asciidoc/reference-guide/concepts/extensions.adoc
+++ b/src/main/asciidoc/reference-guide/concepts/extensions.adoc
@@ -59,7 +59,8 @@ endif::[]
.
====
-==== SAML 2.0 Service Provider
+[[saml2sp4ui]]
+==== SAML 2.0 Service Provider for UI
This extension can be leveraged to provide
https://en.wikipedia.org/wiki/Security_Assertion_Markup_Language[SAML 2.0^]-based
@@ -90,7 +91,8 @@ This extension adds features to all components and layers that are available, an
<<customization-extensions,new extensions>>.
====
-==== OpenID Connect Client
+[[oidcc4ui]]
+==== OpenID Connect Client for UI
This extension can be leveraged to provide http://openid.net/connect/[OpenID Connect^]-based
https://en.wikipedia.org/wiki/Single_sign-on[Single Sign-On^] access to the <<admin-console-component>>,
@@ -129,7 +131,7 @@ This extension provides an alternate internal search engine for <<users-groups-a
https://www.elastic.co/[Elasticsearch^] cluster.
[WARNING]
-This extension supports Elasticsearch server versions starting from 6.x.
+This extension supports Elasticsearch server versions starting from 7.x.
[TIP]
As search operations are central for different aspects of the <<provisioning,provisioning process>>, the global
diff --git a/src/main/asciidoc/reference-guide/concepts/externalresources.adoc b/src/main/asciidoc/reference-guide/concepts/externalresources.adoc
index ecbfe4f..66d2029 100644
--- a/src/main/asciidoc/reference-guide/concepts/externalresources.adoc
+++ b/src/main/asciidoc/reference-guide/concepts/externalresources.adoc
@@ -230,7 +230,7 @@ There can be many reasons for this situation, including existence of so-called _
Active Directory), or simply the uncomfortable reality that system integrators keep encountering when legacy systems
are to be enrolled into a brand new IAM system.
-Starting with Apache Syncope 2.1.6, Users can have, on a given External Resource with `USER` mapping defined:
+Users can have, on a given External Resource with `USER` mapping defined:
. zero or one _mapped account_ +
if the External Resource is assigned either directly or via Group membership.
diff --git a/src/main/asciidoc/reference-guide/concepts/implementations.adoc b/src/main/asciidoc/reference-guide/concepts/implementations.adoc
index 76a502b..2107b73 100644
--- a/src/main/asciidoc/reference-guide/concepts/implementations.adoc
+++ b/src/main/asciidoc/reference-guide/concepts/implementations.adoc
@@ -18,8 +18,7 @@
//
=== Implementations
-Starting with Apache Syncope 2.1, it is possible to provide implementations suitable for
-<<customization-core,customization>> as:
+It is possible to provide implementations suitable for <<customization-core,customization>> as:
. Java classes
. http://www.groovy-lang.org/[Apache Groovy^] classes
diff --git a/src/main/asciidoc/reference-guide/concepts/notifications.adoc b/src/main/asciidoc/reference-guide/concepts/notifications.adoc
index b4e170a..97a3af5 100644
--- a/src/main/asciidoc/reference-guide/concepts/notifications.adoc
+++ b/src/main/asciidoc/reference-guide/concepts/notifications.adoc
@@ -37,10 +37,10 @@ in principle have different e-mail attributes)
** matching condition to be applied to available users
** Java class implementing the
ifeval::["{snapshotOrRelease}" == "release"]
-https://github.com/apache/syncope/blob/syncope-{docVersion}/core/provisioning-api/src/main/java/org/apache/syncope/core/provisioning/api/notification/NotificationRecipientsProvider.java[NotificationRecipientsProvider^]
+https://github.com/apache/syncope/blob/syncope-{docVersion}/core/provisioning-api/src/main/java/org/apache/syncope/core/provisioning/api/notification/RecipientsProvider.java[RecipientsProvider^]
endif::[]
ifeval::["{snapshotOrRelease}" == "snapshot"]
-https://github.com/apache/syncope/blob/master/core/provisioning-api/src/main/java/org/apache/syncope/core/provisioning/api/notification/NotificationRecipientsProvider.java[NotificationRecipientsProvider^]
+https://github.com/apache/syncope/blob/master/core/provisioning-api/src/main/java/org/apache/syncope/core/provisioning/api/notification/RecipientsProvider.java[RecipientsProvider^]
endif::[]
interface
* <<notification-events,notification event(s)>> - event(s) triggering the enclosing notification
@@ -113,10 +113,10 @@ The full power of JEXL expressions - see http://commons.apache.org/proper/common
and http://commons.apache.org/proper/commons-jexl/reference/examples.html[some examples^] - is available. +
For example, the `user` variable, an instance of
ifeval::["{snapshotOrRelease}" == "release"]
-https://github.com/apache/syncope/blob/syncope-{docVersion}/common/lib/src/main/java/org/apache/syncope/common/lib/to/UserTO.java[UserTO^]
+https://github.com/apache/syncope/blob/syncope-{docVersion}/common/idrepo/lib/src/main/java/org/apache/syncope/common/lib/to/UserTO.java[UserTO^]
endif::[]
ifeval::["{snapshotOrRelease}" == "snapshot"]
-https://github.com/apache/syncope/blob/master/common/lib/src/main/java/org/apache/syncope/common/lib/to/UserTO.java[UserTO^]
+https://github.com/apache/syncope/blob/master/common/idrepo/lib/src/main/java/org/apache/syncope/common/lib/to/UserTO.java[UserTO^]
endif::[]
with actual value matching the _about_ condition as introduced above, can be used.
diff --git a/src/main/asciidoc/reference-guide/concepts/policies.adoc b/src/main/asciidoc/reference-guide/concepts/policies.adoc
index 36b792b..5b4dd19 100644
--- a/src/main/asciidoc/reference-guide/concepts/policies.adoc
+++ b/src/main/asciidoc/reference-guide/concepts/policies.adoc
@@ -18,8 +18,8 @@
//
=== Policies
-Policies control different aspects of the <<provisioning,provisioning>> process. They can be used to fine-tune and adapt
-the overall mechanism to the particularities of the specific domain in which a given Apache Syncope deployment is running.
+Policies control different aspects. They can be used to fine-tune and adapt the overall mechanisms to the
+particularities of the specific domain in which a given Apache Syncope deployment is running.
[[policy-composition]]
[TIP]
@@ -66,10 +66,10 @@ As `JAVA` <<implementations,implementation>>, writing custom account rules means
. providing configuration parameters in an implementation of
ifeval::["{snapshotOrRelease}" == "release"]
-https://github.com/apache/syncope/blob/syncope-{docVersion}/common/lib/src/main/java/org/apache/syncope/common/lib/policy/AccountRuleConf.java[AccountRuleConf^]
+https://github.com/apache/syncope/blob/syncope-{docVersion}/common/idrepo/lib/src/main/java/org/apache/syncope/common/lib/policy/AccountRuleConf.java[AccountRuleConf^]
endif::[]
ifeval::["{snapshotOrRelease}" == "snapshot"]
-https://github.com/apache/syncope/blob/master/common/lib/src/main/java/org/apache/syncope/common/lib/policy/AccountRuleConf.java[AccountRuleConf^]
+https://github.com/apache/syncope/blob/master/common/idrepo/lib/src/main/java/org/apache/syncope/common/lib/policy/AccountRuleConf.java[AccountRuleConf^]
endif::[]
. enforcing in an implementation of
ifeval::["{snapshotOrRelease}" == "release"]
@@ -100,17 +100,17 @@ endif::[]
The default account rule (enforced by
ifeval::["{snapshotOrRelease}" == "release"]
-https://github.com/apache/syncope/blob/syncope-{docVersion}/core/persistence-jpa/src/main/java/org/apache/syncope/core/persistence/jpa/dao/DefaultAccountRule.java[DefaultAccountRule^]
+https://github.com/apache/syncope/blob/syncope-{docVersion}/core/spring/src/main/java/org/apache/syncope/core/spring/policy/DefaultAccountRule.java[DefaultAccountRule^]
endif::[]
ifeval::["{snapshotOrRelease}" == "snapshot"]
-https://github.com/apache/syncope/blob/master/core/persistence-jpa/src/main/java/org/apache/syncope/core/persistence/jpa/dao/DefaultAccountRule.java[DefaultAccountRule^]
+https://github.com/apache/syncope/blob/master/core/spring/src/main/java/org/apache/syncope/core/spring/policy/DefaultAccountRule.java[DefaultAccountRule^]
endif::[]
and configurable via
ifeval::["{snapshotOrRelease}" == "release"]
-https://github.com/apache/syncope/blob/syncope-{docVersion}/common/lib/src/main/java/org/apache/syncope/common/lib/policy/DefaultAccountRuleConf.java[DefaultAccountRuleConf^]
+https://github.com/apache/syncope/blob/syncope-{docVersion}/common/idrepo/lib/src/main/java/org/apache/syncope/common/lib/policy/DefaultAccountRuleConf.java[DefaultAccountRuleConf^]
endif::[]
ifeval::["{snapshotOrRelease}" == "snapshot"]
-https://github.com/apache/syncope/blob/master/common/lib/src/main/java/org/apache/syncope/common/lib/policy/DefaultAccountRuleConf.java[DefaultAccountRuleConf^]
+https://github.com/apache/syncope/blob/master/common/idrepo/lib/src/main/java/org/apache/syncope/common/lib/policy/DefaultAccountRuleConf.java[DefaultAccountRuleConf^]
endif::[]
) contains the following controls:
@@ -170,10 +170,10 @@ As `JAVA` <<implementations,implementation>>, writing custom password rules mean
. providing configuration parameters in an implementation of
ifeval::["{snapshotOrRelease}" == "release"]
-https://github.com/apache/syncope/blob/syncope-{docVersion}/common/lib/src/main/java/org/apache/syncope/common/lib/policy/PasswordRuleConf.java[PasswordRuleConf^]
+https://github.com/apache/syncope/blob/syncope-{docVersion}/common/idrepo/lib/src/main/java/org/apache/syncope/common/lib/policy/PasswordRuleConf.java[PasswordRuleConf^]
endif::[]
ifeval::["{snapshotOrRelease}" == "snapshot"]
-https://github.com/apache/syncope/blob/master/common/lib/src/main/java/org/apache/syncope/common/lib/policy/PasswordRuleConf.java[PasswordRuleConf^]
+https://github.com/apache/syncope/blob/master/common/idrepo/lib/src/main/java/org/apache/syncope/common/lib/policy/PasswordRuleConf.java[PasswordRuleConf^]
endif::[]
. enforcing in an implementation of
ifeval::["{snapshotOrRelease}" == "release"]
@@ -204,17 +204,17 @@ endif::[]
The default password rule (enforced by
ifeval::["{snapshotOrRelease}" == "release"]
-https://github.com/apache/syncope/blob/syncope-{docVersion}/core/persistence-jpa/src/main/java/org/apache/syncope/core/persistence/jpa/dao/DefaultPasswordRule.java[DefaultPasswordRule^]
+https://github.com/apache/syncope/blob/syncope-{docVersion}/core/spring/src/main/java/org/apache/syncope/core/spring/policy/DefaultPasswordRule.java[DefaultPasswordRule^]
endif::[]
ifeval::["{snapshotOrRelease}" == "snapshot"]
-https://github.com/apache/syncope/blob/master/core/persistence-jpa/src/main/java/org/apache/syncope/core/persistence/jpa/dao/DefaultPasswordRule.java[DefaultPasswordRule^]
+https://github.com/apache/syncope/blob/master/core/spring/src/main/java/org/apache/syncope/core/spring/policy/DefaultPasswordRule.java[DefaultPasswordRule^]
endif::[]
and configurable via
ifeval::["{snapshotOrRelease}" == "release"]
-https://github.com/apache/syncope/blob/syncope-{docVersion}/common/lib/src/main/java/org/apache/syncope/common/lib/policy/DefaultPasswordRuleConf.java[DefaultPasswordRuleConf^]
+https://github.com/apache/syncope/blob/syncope-{docVersion}/common/idrepo/lib/src/main/java/org/apache/syncope/common/lib/policy/DefaultPasswordRuleConf.java[DefaultPasswordRuleConf^]
endif::[]
ifeval::["{snapshotOrRelease}" == "snapshot"]
-https://github.com/apache/syncope/blob/master/common/lib/src/main/java/org/apache/syncope/common/lib/policy/DefaultPasswordRuleConf.java[DefaultPasswordRuleConf^]
+https://github.com/apache/syncope/blob/master/common/idrepo/lib/src/main/java/org/apache/syncope/common/lib/policy/DefaultPasswordRuleConf.java[DefaultPasswordRuleConf^]
endif::[]
) contains the following controls:
@@ -252,17 +252,17 @@ class.
This password rule (enforced by
ifeval::["{snapshotOrRelease}" == "release"]
-https://github.com/apache/syncope/blob/syncope-{docVersion}/core/persistence-jpa/src/main/java/org/apache/syncope/core/persistence/jpa/dao/HaveIBeenPwnedPasswordRule.java[HaveIBeenPwnedPasswordRule^]
+https://github.com/apache/syncope/blob/syncope-{docVersion}/core/spring/src/main/java/org/apache/syncope/core/spring/policy/HaveIBeenPwnedPasswordRule.java[HaveIBeenPwnedPasswordRule^]
endif::[]
ifeval::["{snapshotOrRelease}" == "snapshot"]
-https://github.com/apache/syncope/blob/master/core/persistence-jpa/src/main/java/org/apache/syncope/core/persistence/jpa/dao/HaveIBeenPwnedPasswordRule.java[HaveIBeenPwnedPasswordRule^]
+https://github.com/apache/syncope/blob/master/core/spring/src/main/java/org/apache/syncope/core/spring/policy/HaveIBeenPwnedPasswordRule.java[HaveIBeenPwnedPasswordRule^]
endif::[]
and configurable via
ifeval::["{snapshotOrRelease}" == "release"]
-https://github.com/apache/syncope/blob/syncope-{docVersion}/common/lib/src/main/java/org/apache/syncope/common/lib/policy/HaveIBeenPwnedPasswordRuleConf.java[HaveIBeenPwnedPasswordRuleConf^]
+https://github.com/apache/syncope/blob/syncope-{docVersion}/common/idrepo/lib/src/main/java/org/apache/syncope/common/lib/policy/HaveIBeenPwnedPasswordRuleConf.java[HaveIBeenPwnedPasswordRuleConf^]
endif::[]
ifeval::["{snapshotOrRelease}" == "snapshot"]
-https://github.com/apache/syncope/blob/master/common/lib/src/main/java/org/apache/syncope/common/lib/policy/HaveIBeenPwnedPasswordRuleConf.java[HaveIBeenPwnedPasswordRuleConf^]
+https://github.com/apache/syncope/blob/master/common/idrepo/lib/src/main/java/org/apache/syncope/common/lib/policy/HaveIBeenPwnedPasswordRuleConf.java[HaveIBeenPwnedPasswordRuleConf^]
endif::[]
) checks the provided password values against the popular
https://haveibeenpwned.com["Have I Been Pwned?"^] service.
@@ -272,6 +272,61 @@ Before being able to configure the "Have I Been Pwned?" password rule as mention
a `JAVA` `PASSWORD_RULE` <<implementations,implementation>> for the
`org.apache.syncope.common.lib.policy.HaveIBeenPwnedPasswordRuleConf` class.
+[[policies-access]]
+==== Access
+
+Access policies provide fine-grained control over the authorization rules to apply to
+<<client-applications,client applications>>.
+
+An access policy describes whether the client application is allowed to use WA, allowed to participate in
+single sign-on authentication, etc. Additionally, it may be configured to require a certain set of principal attributes
+that must exist before access can be granted to the client application. This behavior allows one to configure various
+attributes in terms of access roles for the application and define rules that would be enacted and validated when an
+authentication request from the application arrives.
+
+[NOTE]
+Access Policy instances are dynamically translated into
+https://apereo.github.io/cas/6.4.x/services/Configuring-Service-Access-Strategy.html#configure-service-access-strategy[CAS Service Access Strategy^].
+
+[[policies-attribute-release]]
+==== Attribute Release
+
+Attribute Release policies decide how attributes are selected and provided to a given
+<<client-applications,client application>> in the final WA response. +
+Additionally, each instance has the ability to apply an optional filter to weed out their attributes based on their
+values.
+
+[NOTE]
+Attribute Release Policy instances are dynamically translated into
+https://apereo.github.io/cas/6.4.x/integration/Attribute-Release-Policies.html#attribute-release-policies[CAS Attribute Release Policy^].
+
+[[policies-authentication]]
+==== Authentication
+
+WA presents a number of strategies for handling authentication security policies, based on the defined
+<<authentication-modules,authentication modules>>. +
+Authentication Policies in general control the following:
+
+. Should the authentication chain be stopped after a certain kind of authentication failure?
+. Given multiple authentication handlers in a chain, what constitutes a successful authentication event?
+
+Authentication Policies are typically activated after:
+
+. An authentication failure has occurred.
+. The authentication chain has finished execution.
+
+Typical use cases of authentication policies may include:
+
+. Enforce a specific authentication module's successful execution, for the entire authentication event to be considered
+successful.
+. Ensure a specific class of failure is not evident in the authentication chain’s execution log.
+. Ensure that all authentication modules in the chain are executed successfully, for the entire authentication event to
+be considered successful.
+
+[NOTE]
+Authentication Policy instances are dynamically translated into
+https://apereo.github.io/cas/6.4.x/authentication/Configuring-Authentication-Policy.html#authentication-policy[CAS Authentication Policy^].
+
[[policies-pull]]
==== Pull
diff --git a/src/main/asciidoc/reference-guide/concepts/provisioning/provisioning.adoc b/src/main/asciidoc/reference-guide/concepts/provisioning/provisioning.adoc
index a1c9c5d..0eb193a 100644
--- a/src/main/asciidoc/reference-guide/concepts/provisioning/provisioning.adoc
+++ b/src/main/asciidoc/reference-guide/concepts/provisioning/provisioning.adoc
@@ -18,7 +18,7 @@
//
=== Provisioning
-As described <<provisioning-engines,above>>, provisioning is actually _the_ core feature provided by Apache Syncope.
+As described <<identity-managers,above>>, provisioning is actually _the_ core feature provided by Apache Syncope.
Essentially, it can be seen as the process of keeping the identity data synchronized between Syncope and related external resources, according to the specifications provided by the <<mapping,mapping>>. It does this by performing create, update and
delete operations onto the <<persistence,internal storage>> or external resources via connectors.
diff --git a/src/main/asciidoc/reference-guide/concepts/provisioning/pull.adoc b/src/main/asciidoc/reference-guide/concepts/provisioning/pull.adoc
index 77b987a..bf4bd84 100644
--- a/src/main/asciidoc/reference-guide/concepts/provisioning/pull.adoc
+++ b/src/main/asciidoc/reference-guide/concepts/provisioning/pull.adoc
@@ -60,10 +60,10 @@ The Identity Store can be queried in different ways, depending on the _pull mode
FULL RECONCILIATION:: The complete list of entities available is processed.
FILTERED RECONCILIATION:: The subset matching the filter (provided by the selected implementation of
ifeval::["{snapshotOrRelease}" == "release"]
-https://github.com/apache/syncope/blob/syncope-{docVersion}/core/provisioning-api/src/main/java/org/apache/syncope/core/provisioning/api/pushpull/ReconciliationFilterBuilder.java[ReconciliationFilterBuilder^])
+https://github.com/apache/syncope/blob/syncope-{docVersion}/core/provisioning-api/src/main/java/org/apache/syncope/core/provisioning/api/pushpull/ReconFilterBuilder.java[ReconFilterBuilder^])
endif::[]
ifeval::["{snapshotOrRelease}" == "snapshot"]
-https://github.com/apache/syncope/blob/master/core/provisioning-api/src/main/java/org/apache/syncope/core/provisioning/api/pushpull/ReconciliationFilterBuilder.java[ReconciliationFilterBuilder^])
+https://github.com/apache/syncope/blob/master/core/provisioning-api/src/main/java/org/apache/syncope/core/provisioning/api/pushpull/ReconFilterBuilder.java[ReconFilterBuilder^])
endif::[]
of all available entities is processed.
INCREMENTAL:: Only the actual modifications performed since the last pull task execution are considered. This mode
diff --git a/src/main/asciidoc/reference-guide/concepts/reports.adoc b/src/main/asciidoc/reference-guide/concepts/reports.adoc
index e623487..7ef9c96 100644
--- a/src/main/asciidoc/reference-guide/concepts/reports.adoc
+++ b/src/main/asciidoc/reference-guide/concepts/reports.adoc
@@ -64,10 +64,10 @@ endif::[]
and implementing the information extraction logic and generating an XML stream as result
* a Java class extending
ifeval::["{snapshotOrRelease}" == "release"]
-https://github.com/apache/syncope/blob/syncope-{docVersion}/common/lib/src/main/java/org/apache/syncope/common/lib/report/AbstractReportletConf.java[AbstractReportletConf^]
+https://github.com/apache/syncope/blob/syncope-{docVersion}/common/idrepo/lib/src/main/java/org/apache/syncope/common/lib/report/AbstractReportletConf.java[AbstractReportletConf^]
endif::[]
ifeval::["{snapshotOrRelease}" == "snapshot"]
-https://github.com/apache/syncope/blob/master/common/lib/src/main/java/org/apache/syncope/common/lib/report/AbstractReportletConf.java[AbstractReportletConf^]
+https://github.com/apache/syncope/blob/master/common/idrepo/lib/src/main/java/org/apache/syncope/common/lib/report/AbstractReportletConf.java[AbstractReportletConf^]
endif::[]
and embedding the configuration options that can be tuned when incorporating a given reportlet into a report; when
properly annotated, such options are manageable via the <<console-reports,admin console>>
@@ -86,10 +86,10 @@ https://github.com/apache/syncope/blob/master/core/provisioning-java/src/main/ja
endif::[]
and
ifeval::["{snapshotOrRelease}" == "release"]
-https://github.com/apache/syncope/blob/syncope-{docVersion}/common/lib/src/main/java/org/apache/syncope/common/lib/report/StaticReportletConf.java[StaticReportletConf^],
+https://github.com/apache/syncope/blob/syncope-{docVersion}/common/idrepo/lib/src/main/java/org/apache/syncope/common/lib/report/StaticReportletConf.java[StaticReportletConf^],
endif::[]
ifeval::["{snapshotOrRelease}" == "snapshot"]
-https://github.com/apache/syncope/blob/master/common/lib/src/main/java/org/apache/syncope/common/lib/report/StaticReportletConf.java[StaticReportletConf^],
+https://github.com/apache/syncope/blob/master/common/idrepo/lib/src/main/java/org/apache/syncope/common/lib/report/StaticReportletConf.java[StaticReportletConf^],
endif::[]
it is essentially a handy way to inject static values (of various types) into a report.
@@ -103,10 +103,10 @@ https://github.com/apache/syncope/blob/master/core/provisioning-java/src/main/ja
endif::[]
and
ifeval::["{snapshotOrRelease}" == "release"]
-https://github.com/apache/syncope/blob/syncope-{docVersion}/common/lib/src/main/java/org/apache/syncope/common/lib/report/UserReportletConf.java[UserReportletConf^],
+https://github.com/apache/syncope/blob/syncope-{docVersion}/common/idrepo/lib/src/main/java/org/apache/syncope/common/lib/report/UserReportletConf.java[UserReportletConf^],
endif::[]
ifeval::["{snapshotOrRelease}" == "snapshot"]
-https://github.com/apache/syncope/blob/master/common/lib/src/main/java/org/apache/syncope/common/lib/report/UserReportletConf.java[UserReportletConf^],
+https://github.com/apache/syncope/blob/master/common/idrepo/lib/src/main/java/org/apache/syncope/common/lib/report/UserReportletConf.java[UserReportletConf^],
endif::[]
it can be used to report various information about Users available in the internal storage, their attributes,
memberships and relationships, external resources and so on.
@@ -120,10 +120,10 @@ https://github.com/apache/syncope/blob/master/core/provisioning-java/src/main/ja
endif::[]
and
ifeval::["{snapshotOrRelease}" == "release"]
-https://github.com/apache/syncope/blob/syncope-{docVersion}/common/lib/src/main/java/org/apache/syncope/common/lib/report/GroupReportletConf.java[GroupReportletConf^].
+https://github.com/apache/syncope/blob/syncope-{docVersion}/common/idrepo/lib/src/main/java/org/apache/syncope/common/lib/report/GroupReportletConf.java[GroupReportletConf^].
endif::[]
ifeval::["{snapshotOrRelease}" == "snapshot"]
-https://github.com/apache/syncope/blob/master/common/lib/src/main/java/org/apache/syncope/common/lib/report/GroupReportletConf.java[GroupReportletConf^].
+https://github.com/apache/syncope/blob/master/common/idrepo/lib/src/main/java/org/apache/syncope/common/lib/report/GroupReportletConf.java[GroupReportletConf^].
endif::[]
===== Reconciliation Reportlet
@@ -137,10 +137,10 @@ https://github.com/apache/syncope/blob/master/core/provisioning-java/src/main/ja
endif::[]
and
ifeval::["{snapshotOrRelease}" == "release"]
-https://github.com/apache/syncope/blob/syncope-{docVersion}/common/lib/src/main/java/org/apache/syncope/common/lib/report/ReconciliationReportletConf.java[ReconciliationReportletConf^],
+https://github.com/apache/syncope/blob/syncope-{docVersion}/common/idrepo/lib/src/main/java/org/apache/syncope/common/lib/report/ReconciliationReportletConf.java[ReconciliationReportletConf^],
endif::[]
ifeval::["{snapshotOrRelease}" == "snapshot"]
-https://github.com/apache/syncope/blob/master/common/lib/src/main/java/org/apache/syncope/common/lib/report/ReconciliationReportletConf.java[ReconciliationReportletConf^],
+https://github.com/apache/syncope/blob/master/common/idrepo/lib/src/main/java/org/apache/syncope/common/lib/report/ReconciliationReportletConf.java[ReconciliationReportletConf^],
endif::[]
it provides the global reconciliation status for all Users, Groups and Any Objects available in the internal storage,
e.g. whether such entities are available on all Identity Stores matching the assigned
@@ -161,9 +161,9 @@ https://github.com/apache/syncope/blob/master/core/provisioning-java/src/main/ja
endif::[]
and
ifeval::["{snapshotOrRelease}" == "release"]
-https://github.com/apache/syncope/blob/syncope-{docVersion}/common/lib/src/main/java/org/apache/syncope/common/lib/report/AuditReportletConf.java[AuditReportletConf^],
+https://github.com/apache/syncope/blob/syncope-{docVersion}/common/idrepo/lib/src/main/java/org/apache/syncope/common/lib/report/AuditReportletConf.java[AuditReportletConf^],
endif::[]
ifeval::["{snapshotOrRelease}" == "snapshot"]
-https://github.com/apache/syncope/blob/master/common/lib/src/main/java/org/apache/syncope/common/lib/report/AuditReportletConf.java[AuditReportletConf^],
+https://github.com/apache/syncope/blob/master/common/idrepo/lib/src/main/java/org/apache/syncope/common/lib/report/AuditReportletConf.java[AuditReportletConf^],
endif::[]
it is mostly a sample reportlet showing how to extract data produced by <<audit>>.
diff --git a/src/main/asciidoc/reference-guide/concepts/routes.adoc b/src/main/asciidoc/reference-guide/concepts/routes.adoc
new file mode 100644
index 0000000..b7bfa22
--- /dev/null
+++ b/src/main/asciidoc/reference-guide/concepts/routes.adoc
@@ -0,0 +1,120 @@
+//
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements. See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership. The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License. You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied. See the License for the
+// specific language governing permissions and limitations
+// under the License.
+//
+=== Routes
+
+Routes represents the main configuration to instruct <<secure-remote-access,SRA>> to respond to HTTP requests.
+
+Every route is defined by providing the following information:
+
+. name - unique reference to the current route
+. target - base URI to proxy requests for
+. error URI - where to redirect in case of errors
+. type - `PUBLIC` or `PROTECTED`: the latter requires authentication against the configured Access Manager
+. logout - whether to proceed with logout against the configured Access Manager
+. post-logout URI - where to redirect after logging out
+. CSRF - whether protection against https://en.wikipedia.org/wiki/Cross-site_request_forgery[Cross-Site Request Forgery]
+shall be applied to incoming requests
+. order - value to sort routes for evaluation
+. predicates - composed condition, supporting logic operators as `AND`, `OR` and `NOT`, to specify if incoming requests
+shall match the owning route
+. filters - ordered list of elements allowing to perform modification of the incoming request and / or outgoing response
+
+image::sra-request.png[title="SRA request processing",alt="SRA request processing"]
+
+When an HTTP request is received, SRA evaluates all the configured _predicates_, sorted by their owning _route_'s _order_,
+to determine the first matching route among the ones defined.
+
+If the matching route has _type_ `PROTECTED`, the configured Access Manager is involved to authorize the request; while
+<<web-access,WA>> works out-of-the-box, others can be configured, provided that they implement standard protocols as
+OpenID Connect or SAML.
+
+The incoming request is then pre-processed by matching route's _filters_ and sent to the configured _target_. +
+The received response, after being post-processed by matching route's _filters_, is finally returned to the initial caller.
+
+==== Predicates
+
+Inside Route definition, each predicate will be referring to some Spring Cloud Gateway's
+https://docs.spring.io/spring-cloud-gateway/docs/3.1.x/reference/html/#gateway-request-predicates-factories[Predicate factory^]:
+
+ * `AFTER` matches requests that happen after the specified datetime;
+ * `BEFORE` matches requests that happen before the specified datetime;
+ * `BETWEEN` matches requests that happen after first datetime and before second datetime;
+ * `COOKIE` matches cookies that have the given name and whose values match the regular expression;
+ * `HEADER` matches with a header that has the given name whose value matches the regular expression;
+ * `HOST` matches the `Host` header;
+ * `METHOD` matches the provided HTTP method(s);
+ * `PATH` matches the request path;
+ * `QUERY` matches the query string;
+ * `REMOTE_ADDR` matches the caller IP address;
+ * `WEIGHT` matches according to the weights provided per group of target URIs;
+ * `CUSTOM` matches according to a provided class extending
+ifeval::["{snapshotOrRelease}" == "release"]
+https://github.com/apache/syncope/blob/syncope-{docVersion}/sra/src/main/java/org/apache/syncope/sra/predicates/CustomRoutePredicateFactory.java[CustomRoutePredicateFactory^].
+endif::[]
+ifeval::["{snapshotOrRelease}" == "snapshot"]
+https://github.com/apache/syncope/blob/master/sra/src/main/java/org/apache/syncope/sra/predicates/CustomRoutePredicateFactory.java[CustomRoutePredicateFactory^].
+endif::[]
+
+==== Filters
+
+Inside Route definition, each filter will be referring to some Spring Cloud Gateway's
+https://docs.spring.io/spring-cloud-gateway/docs/3.1.x/reference/html/#gatewayfilter-factories[Filter factory^]:
+
+ * `ADD_REQUEST_HEADER` adds a header to the downstream request's headers;
+ * `ADD_REQUEST_PARAMETER` adds a parameter too the downstream request's query string;
+ * `ADD_RESPONSE_HEADER` adds a header to the downstream response’s headers;
+ * `CLIENT_CERTS_TO_REQUEST_HEADER` takes SSL certificates associated with the request to downstream request's headers;
+ * `DEDUPE_RESPONSE_HEADER` removes duplicate values of response headers;
+ * `FALLBACK_HEADERS` after an execution exception occurs, the request is forwarded to a fallback endpoint; the
+headers with the exception type, message and (if available) root cause exception type and message are added to that
+request;
+ * `LINK_REWRITE` rewrites HTTP links in the response body before it is sent back to the client;
+ * `MAP_REQUEST_HEADER` creates a new named header with the value extracted out of an existing named header from
+the incoming request;
+ * `PREFIX_PATH` will prefix a part to the path of the incoming request;
+ * `PRESERVE_HOST_HEADER` sets a request attribute that the routing filter inspects to determine if the original host
+header should be sent, rather than the host header determined by the HTTP client;
+ * `PRINCIPAL_TO_REQUEST_HEADER` takes authenticated principal to downstream request's headers;
+ * `QUERY_PARAM_TO_REQUEST_HEADER` takes incoming query params to downstream request's headers;
+ * `REDIRECT_TO` will send a HTTP status `30x` with a `Location` header to perform a redirect;
+ * `REMOVE_REQUEST_HEADER` removes a header to the downstream request's headers;
+ * `REMOVE_RESPONSE_HEADER` removes a header to the downstream response’s headers;
+ * `REQUEST_HEADER_TO_REQUEST_URI` changes the request URI by a request header;
+ * `REQUEST_RATE_LIMITER` determines if the current request is allowed to proceed: if it is not, a HTTP status `429`
+is returned;
+ * `RETRY` attempts to connect to downstream request's target for the given number of retries before giving up;
+ * `REWRITE_PATH` uses regular expressions to rewrite the request path;
+ * `REWRITE_LOCATION` modifies the value of the `Location` response header;
+ * `REWRITE_RESPONSE_HEADER` modifies the value of response header;
+ * `SECURE_HEADERS` adds a number of recommended security headers to the response;
+ * `SAVE_SESSION` forces to save the current HTTP session before forwarding the call downstream;
+ * `SET_PATH` manipulates the request path;
+ * `SET_REQUEST_HEADER` replaces a header to the downstream request's headers;
+ * `SET_RESPONSE_HEADER` replaces a header to the downstream response’s headers;
+ * `SET_STATUS` sets HTTP status to return to caller;
+ * `SET_REQUEST_SIZE` restricts a request from reaching the downstream service;
+ * `SET_REQUEST_HOST` sets host header to the downstream request's headers;
+ * `STRIP_PREFIX` removes parts from the path of the incoming request;
+ * `CUSTOM` will manipulate downstream request or response according to a provided class extending
+ifeval::["{snapshotOrRelease}" == "release"]
+https://github.com/apache/syncope/blob/syncope-{docVersion}/sra/src/main/java/org/apache/syncope/sra/filters/CustomGatewayFilterFactory.java[CustomGatewayFilterFactory^].
+endif::[]
+ifeval::["{snapshotOrRelease}" == "snapshot"]
+https://github.com/apache/syncope/blob/master/sra/src/main/java/org/apache/syncope/sra/filters/CustomGatewayFilterFactory.java[CustomGatewayFilterFactory^].
+endif::[]
diff --git a/src/main/asciidoc/reference-guide/concepts/tasks.adoc b/src/main/asciidoc/reference-guide/concepts/tasks.adoc
index dffc696..21e01ac 100644
--- a/src/main/asciidoc/reference-guide/concepts/tasks.adoc
+++ b/src/main/asciidoc/reference-guide/concepts/tasks.adoc
@@ -45,12 +45,12 @@ http://connid.tirasa.net/apidocs/1.5/org/identityconnectors/framework/common/obj
[NOTE]
====
-Propagation tasks are automatically generated via the
+Propagation tasks are automatically generated via the configured
ifeval::["{snapshotOrRelease}" == "release"]
-https://github.com/apache/syncope/blob/syncope-{docVersion}/core/provisioning-java/src/main/java/org/apache/syncope/core/provisioning/java/propagation/PropagationManagerImpl.java[PropagationManager^],
+https://github.com/apache/syncope/blob/syncope-{docVersion}/core/provisioning-java/src/main/java/org/apache/syncope/core/provisioning/java/propagation/DefaultPropagationManager.java[PropagationManager^],
endif::[]
ifeval::["{snapshotOrRelease}" == "snapshot"]
-https://github.com/apache/syncope/blob/master/core/provisioning-java/src/main/java/org/apache/syncope/core/provisioning/java/propagation/PropagationManagerImpl.java[PropagationManager^],
+https://github.com/apache/syncope/blob/master/core/provisioning-java/src/main/java/org/apache/syncope/core/provisioning/java/propagation/DefaultPropagationManager.java[PropagationManager^],
endif::[]
executed (by default) via the
ifeval::["{snapshotOrRelease}" == "release"]
diff --git a/src/main/asciidoc/reference-guide/concepts/typemanagement.adoc b/src/main/asciidoc/reference-guide/concepts/typemanagement.adoc
index 343aa4b..93d7fd5 100644
--- a/src/main/asciidoc/reference-guide/concepts/typemanagement.adoc
+++ b/src/main/asciidoc/reference-guide/concepts/typemanagement.adoc
@@ -22,15 +22,13 @@ In order to manage which attributes can be owned by Users, Groups and any object
Apache Syncope defines a simple yet powerful type management system, vaguely inspired by the LDAP/X.500 information
model.
-[NOTE]
-Starting with Apache Syncope 2.1, it is possible to define i18n labels for each schema, with purpose of improving
-presentation with Admin and End-user UIs.
-
==== Schema
A schema instance describes the values that attributes with that schema will hold; it can be defined plain, derived or
virtual.
+It is possible to define i18n labels for each schema, with purpose of improving presentation with Admin and End-user UIs.
+
===== Plain
Values for attributes with such schema types are provided during user, group or any object create / update.
@@ -133,7 +131,7 @@ ifeval::["{snapshotOrRelease}" == "release"]
https://github.com/apache/syncope/blob/syncope-{docVersion}/core/provisioning-java/src/main/java/org/apache/syncope/core/provisioning/java/cache/CaffeineVirAttrCache.java[CaffeineVirAttrCache^]
endif::[]
ifeval::["{snapshotOrRelease}" == "snapshot"]
-https://github.com/apache/syncope/blob/master/core/provisioning-java/src/main/java/org/apache/syncope/core/provisioning/java/cache/MemoryVirAttrCache.java[CaffeineVirAttrCache^]
+https://github.com/apache/syncope/blob/master/core/provisioning-java/src/main/java/org/apache/syncope/core/provisioning/java/cache/CaffeineVirAttrCache.java[CaffeineVirAttrCache^]
endif::[]
| In-memory cache based on https://github.com/ben-manes/caffeine[Caffeine Cache^].
diff --git a/src/main/asciidoc/reference-guide/concepts/usersgroupsandanyobjects.adoc b/src/main/asciidoc/reference-guide/concepts/usersgroupsandanyobjects.adoc
index 2294068..482ce0d 100644
--- a/src/main/asciidoc/reference-guide/concepts/usersgroupsandanyobjects.adoc
+++ b/src/main/asciidoc/reference-guide/concepts/usersgroupsandanyobjects.adoc
@@ -21,7 +21,7 @@
Users, Groups and Any Objects are definitely the key entities to manage: as explained <<introduction,above>>
in fact, the whole identity management concept is literally about managing identity data.
-Starting with Apache Syncope 2.0, the following identities are supported:
+The following identities are supported:
* *Users* represent the virtual identities build up of account information fragmented across the associated external
resources
@@ -76,3 +76,11 @@ _dynamic_ members of the group. +
Dynamic memberships have some limitations: for example, <<type-extensions,type extensions>> do not apply;
group-based provisioning is still effective.
====
+
+[[security-questions]]
+[NOTE]
+.Security Questions
+====
+The <<password-reset,password reset>> process can be strengthened by requesting users to provide their configured
+answer to a given security question, chosen among the ones defined.
+====
diff --git a/src/main/asciidoc/reference-guide/identitytechnologies/accessmanagers.adoc b/src/main/asciidoc/reference-guide/identitytechnologies/accessmanagers.adoc
index c0727fb..85de880 100644
--- a/src/main/asciidoc/reference-guide/identitytechnologies/accessmanagers.adoc
+++ b/src/main/asciidoc/reference-guide/identitytechnologies/accessmanagers.adoc
@@ -19,12 +19,21 @@
==== Access Managers
_Access Managers_ focus on the application front-end, enforcing application access via authentication
-(how Users are let access a given system) and authorization (which capabilities each user owns on a given system).
+(how users are let access a given system) and authorization (which capabilities each user owns on a given system).
Several practices and standards can be implemented by Access Managers:
* https://en.wikipedia.org/wiki/Single_sign-on[Single Sign-On^]
-* http://oauth.net/[OAuth^]
-* https://en.wikipedia.org/wiki/XACML[XACML^]
+* https://en.wikipedia.org/wiki/Multi-factor_authentication[Multi-Factor Authentication^]
+* https://oauth.net/[OAuth^]
* https://en.wikipedia.org/wiki/Security_Assertion_Markup_Language[SAML^]
-* http://openid.net/connect/[OpenID Connect^]
+* https://openid.net/connect/[OpenID Connect^]
+
+[NOTE]
+====
+Applications can typically integrate with Access Managers by:
+
+* implementing at least one of the most diffuse protocols as OpenID Connect or SAML - also called _native integration_;
+* being protected by a security-enabled HTTP reverse proxy, which will in turn interact with Access Managers - also
+called _legacy integration_.
+====
diff --git a/src/main/asciidoc/reference-guide/identitytechnologies/provisioningengines.adoc b/src/main/asciidoc/reference-guide/identitytechnologies/identitymanagers.adoc
similarity index 72%
rename from src/main/asciidoc/reference-guide/identitytechnologies/provisioningengines.adoc
rename to src/main/asciidoc/reference-guide/identitytechnologies/identitymanagers.adoc
index 2cb7709..3e7a6a9 100644
--- a/src/main/asciidoc/reference-guide/identitytechnologies/provisioningengines.adoc
+++ b/src/main/asciidoc/reference-guide/identitytechnologies/identitymanagers.adoc
@@ -16,9 +16,9 @@
// specific language governing permissions and limitations
// under the License.
//
-==== Provisioning Engines
+==== Identity Managers
-The main role of _Provisioning Engines_ is to keep Identity Stores synchronized as much as possible.
+The main role of _Identity Managers_ is to keep Identity Stores synchronized as much as possible.
Some other characteristics and features provided:
@@ -29,7 +29,7 @@ Some other characteristics and features provided:
* Permit workflow definition, with transitions subject to approval
* Focused on application back-end
-In brief, provisioning engines take heterogeneous Identity Stores (and business requirements) as input and build up
+In brief, Identity Managers take heterogeneous Identity Stores (and business requirements) as input and build up
high-level identity data management throughout what is called the *Identity Lifecycle*.
[.text-center]
@@ -37,5 +37,9 @@ image::identityLifecycle.png[title="Identity Lifecycle",alt="Identity Lifecycle"
[NOTE]
====
-From a technology point of view, *Apache Syncope* is primarily a *Provisioning Engine*.
+Applications can typically integrate with Identity Managers by:
+
+* exposing some sort of provisioning API (often via REST or SOAP) being invoked by Identity Managers - also called
+_native integration_;
+* having their identity repository externally managed by Identity Managers - also called _legacy integration_.
====
diff --git a/src/main/asciidoc/reference-guide/identitytechnologies/identitytechnologies.adoc b/src/main/asciidoc/reference-guide/identitytechnologies/identitytechnologies.adoc
index 3129ab1..5b8340b 100644
--- a/src/main/asciidoc/reference-guide/identitytechnologies/identitytechnologies.adoc
+++ b/src/main/asciidoc/reference-guide/identitytechnologies/identitytechnologies.adoc
@@ -28,7 +28,7 @@ recent, targeted products.
include::identitystores.adoc[]
-include::provisioningengines.adoc[]
+include::identitymanagers.adoc[]
include::accessmanagers.adoc[]
diff --git a/src/main/asciidoc/reference-guide/reference-guide.adoc b/src/main/asciidoc/reference-guide/reference-guide.adoc
index 1815e7b..64b0215 100644
--- a/src/main/asciidoc/reference-guide/reference-guide.adoc
+++ b/src/main/asciidoc/reference-guide/reference-guide.adoc
@@ -49,10 +49,17 @@ New contributors are always welcome!
[discrete]
== Preface
-This reference guide covers Apache Syncope services for identity management, provisioning, and compliance.
+This guide covers Apache Syncope services for:
+
+* identity management, provisioning and compliance;
+* access management, single sign-on, authentication and authorization;
+* API gateway, secure proxy, service mesh, request routing.
== Introduction
+*Apache Syncope* is an Open Source system for managing digital identities in enterprise environments, implemented in
+Java EE technology and released under the Apache 2.0 license.
+
Often, _Identity Management_ and _Access Management_ are jointly referred, mainly because their two management worlds
likely coexist in the same project or in the same environment.
@@ -71,9 +78,6 @@ given system) and authorization (which capabilities each user owns on a given sy
From the definitions above, Identity Management and Access Management can be seen as complementary: very often, the data
synchronized by the former are then used by the latter to provide its features - e.g. authentication and authorization.
-[NOTE]
-Functionally, *Apache Syncope* implements *Identity Management* features.
-
include::identitytechnologies/identitytechnologies.adoc[]
include::architecture/architecture.adoc[]
diff --git a/src/main/asciidoc/reference-guide/workingwithapachesyncope/adminconsole/adminconsole.adoc b/src/main/asciidoc/reference-guide/workingwithapachesyncope/adminconsole/adminconsole.adoc
index 657ebfd..d917cdc 100644
--- a/src/main/asciidoc/reference-guide/workingwithapachesyncope/adminconsole/adminconsole.adoc
+++ b/src/main/asciidoc/reference-guide/workingwithapachesyncope/adminconsole/adminconsole.adoc
@@ -32,18 +32,76 @@ image::consoleLogin.png[console-login]
You can use the <<set-admin-credentials,default admin credentials>> to login.
+[[admin-console-accessibility]]
+==== Accessibility
+
+The Admin UI is accessible to the visually impaired.
+
+Two icons are present in the main login page and in the menu on the right:
+
+[.text-center]
+image::accessibility-console01.png[title="Admin Console accessibility buttons",alt="Admin Console accessibility buttons"]
+
+By clicking the top right corner icon image:accessibility-icon01.png[Accessibility HC mode,30,30] it is possible to
+toggle the "High contrast mode".
+In this mode, the website colors are switched to a higher contrast color schema.
+
+[TIP]
+====
+The `H` https://developer.mozilla.org/en-US/docs/Web/HTML/Global_attributes/accesskey[accesskey^] shortcut can
+be used to easily toggle "High contrast mode" by using the keyboard.
+
+E.g.
+|===
+|Shortcut |Purpose
+
+|`Alt` + `Shift` + `H`
+|Toggle "High contrast mode" on Firefox and Chrome browsers on Linux
+|===
+
+====
+
+By clicking the second icon image:accessibility-icon02.png[Accessibility Increased Font mode,30,30] it is possible
+to toggle the "Increased font mode".
+In this mode, the website font size is increased.
+
+[TIP]
+====
+The `F` https://developer.mozilla.org/en-US/docs/Web/HTML/Global_attributes/accesskey[accesskey^] shortcut can
+be used to easily toggle "Increased font mode" by using the keyboard.
+
+E.g.
+|===
+|Shortcut |Purpose
+
+|`Alt` + `Shift` + `F`
+|Toggle "Increased font mode" on Firefox and Chrome browsers on Linux
+|===
+
+====
+
+To reset to the default mode, it is enough to click again on the specific icon.
+
==== Pages
include::dashboard.adoc[]
include::realms.adoc[]
+include::reports.adoc[]
+
include::topology.adoc[]
-include::reports.adoc[]
+include::sra.adoc[]
+
+include::wa.adoc[]
+
+include::keymaster.adoc[]
include::configuration.adoc[]
+include::extensions.adoc[]
+
include::approval.adoc[]
-include::extensions.adoc[]
+include::userrequests.adoc[]
diff --git a/src/main/asciidoc/reference-guide/workingwithapachesyncope/adminconsole/configuration.adoc b/src/main/asciidoc/reference-guide/workingwithapachesyncope/adminconsole/configuration.adoc
index 34e8003..dd5b776 100644
--- a/src/main/asciidoc/reference-guide/workingwithapachesyncope/adminconsole/configuration.adoc
+++ b/src/main/asciidoc/reference-guide/workingwithapachesyncope/adminconsole/configuration.adoc
@@ -26,6 +26,11 @@ Audit::
Controls the configuration of the <<audit,auditing>> features.
+[[console-configuration-implementations]]
+Implementations::
+
+Allows the administrators to manage <<implementations,implementations>>.
+
[[console-configuration-logs]]
Logs::
@@ -38,27 +43,18 @@ Notifications::
Gives access to the <<notifications,notification>> management. +
This page also allows the administrators to create and edit <<notification-templates,notification templates>>.
-[[console-configuration-parameters]]
-Parameters::
-
-Presents the administrators with the list of defined <<configuration-parameters,configuration parameters>> used in the
-given deployment such as `token.expireTime` and `password.cipher.algorithm`.
-These can be edited to further customize the deployment. +
-New parameters can also be added, for use with custom code.
-
[[console-configuration-policies]]
Policies::
-Allows the administrators to manage <<policies-account,account>>, <<policies-password,password>> and
-<<policies-pull,pull>> policies.
+Allows the administrators to manage all available type of <<policies,policies>>.
-[[console-configuration-roles]]
-Roles::
+[[console-configuration-security]]
+Security::
-Displays and provides editing functionality for <<roles,roles>>.
+Displays and provides editing functionality for the security aspects, including <<roles,roles>>,
+<<delegation,delegations>> and <<security-questions,security questions>>.
-[[console-configuration-security-questions]]
-Security Questions::
+[[console-configuration-types]]
+Types::
-The administrators can use this page to define a set of security questions which the users can choose from when
-managing their own profile, to allow them to recover their account in case of a <<password-reset,forgotten password>>.
+Entry point for <<type-management,type management>>.
diff --git a/src/main/asciidoc/reference-guide/workingwithapachesyncope/adminconsole/adminconsole.adoc b/src/main/asciidoc/reference-guide/workingwithapachesyncope/adminconsole/keymaster.adoc
similarity index 52%
copy from src/main/asciidoc/reference-guide/workingwithapachesyncope/adminconsole/adminconsole.adoc
copy to src/main/asciidoc/reference-guide/workingwithapachesyncope/adminconsole/keymaster.adoc
index 657ebfd..3e7b77a 100644
--- a/src/main/asciidoc/reference-guide/workingwithapachesyncope/adminconsole/adminconsole.adoc
+++ b/src/main/asciidoc/reference-guide/workingwithapachesyncope/adminconsole/keymaster.adoc
@@ -16,34 +16,30 @@
// specific language governing permissions and limitations
// under the License.
//
-=== Admin Console
-Once the deployment is ready, the admin console can be accessed at:
-....
-protocol://host:port/syncope-console/
-....
+[[console-keymaster]]
+===== Keymaster
-where `protocol`, `host` and `port` reflect your deployment.
+[[console-keymaster_domains]]
+====== Domains
-You should be greeted by the following web page.
+Allows for <<domains,domain>> management.
-[.text-center]
-image::consoleLogin.png[console-login]
+image::keymaster_domains.png[]
-You can use the <<set-admin-credentials,default admin credentials>> to login.
+[[console-keymaster_networkservices]]
+====== Network Services
-==== Pages
+Displays the components as registered in the configured <<keymaster,keymaster>> instance.
-include::dashboard.adoc[]
+image::keymaster_networkservices.png[]
-include::realms.adoc[]
+[[console-keymaster_parameters]]
+====== Parameters
-include::topology.adoc[]
+Presents the administrators with the list of defined <<configuration-parameters,configuration parameters>> used in the
+given deployment such as `token.expireTime` and `password.cipher.algorithm`.
+These can be edited to further customize the deployment. +
+New parameters can also be added, for use with custom code.
-include::reports.adoc[]
-
-include::configuration.adoc[]
-
-include::approval.adoc[]
-
-include::extensions.adoc[]
+image::keymaster_parameters.png[]
diff --git a/src/main/asciidoc/reference-guide/concepts/concepts.adoc b/src/main/asciidoc/reference-guide/workingwithapachesyncope/adminconsole/sra.adoc
similarity index 61%
copy from src/main/asciidoc/reference-guide/concepts/concepts.adoc
copy to src/main/asciidoc/reference-guide/workingwithapachesyncope/adminconsole/sra.adoc
index a4c1fd8..17fdaa7 100644
--- a/src/main/asciidoc/reference-guide/concepts/concepts.adoc
+++ b/src/main/asciidoc/reference-guide/workingwithapachesyncope/adminconsole/sra.adoc
@@ -16,38 +16,11 @@
// specific language governing permissions and limitations
// under the License.
//
-== Concepts
-include::usersgroupsandanyobjects.adoc[]
+[[console-sra]]
+===== SRA
-include::typemanagement.adoc[]
+From the SRA page it is possible to manage the <<routes,routes>> served and to immediately deploy the updated
+configuration.
-include::externalresources.adoc[]
-
-include::realms.adoc[]
-
-include::entitlements.adoc[]
-
-include::privileges.adoc[]
-
-include::roles.adoc[]
-
-include::provisioning/provisioning.adoc[]
-
-include::policies.adoc[]
-
-include::workflow.adoc[]
-
-include::notifications.adoc[]
-
-include::tasks.adoc[]
-
-include::reports.adoc[]
-
-include::audit.adoc[]
-
-include::domains.adoc[]
-
-include::implementations.adoc[]
-
-include::extensions.adoc[]
+image::sra.png[console-sra]
diff --git a/src/main/asciidoc/reference-guide/concepts/concepts.adoc b/src/main/asciidoc/reference-guide/workingwithapachesyncope/adminconsole/userrequests.adoc
similarity index 61%
copy from src/main/asciidoc/reference-guide/concepts/concepts.adoc
copy to src/main/asciidoc/reference-guide/workingwithapachesyncope/adminconsole/userrequests.adoc
index a4c1fd8..2ee4236 100644
--- a/src/main/asciidoc/reference-guide/concepts/concepts.adoc
+++ b/src/main/asciidoc/reference-guide/workingwithapachesyncope/adminconsole/userrequests.adoc
@@ -16,38 +16,9 @@
// specific language governing permissions and limitations
// under the License.
//
-== Concepts
-include::usersgroupsandanyobjects.adoc[]
+[[console-user-requests]]
+===== User Requests
-include::typemanagement.adoc[]
-
-include::externalresources.adoc[]
-
-include::realms.adoc[]
-
-include::entitlements.adoc[]
-
-include::privileges.adoc[]
-
-include::roles.adoc[]
-
-include::provisioning/provisioning.adoc[]
-
-include::policies.adoc[]
-
-include::workflow.adoc[]
-
-include::notifications.adoc[]
-
-include::tasks.adoc[]
-
-include::reports.adoc[]
-
-include::audit.adoc[]
-
-include::domains.adoc[]
-
-include::implementations.adoc[]
-
-include::extensions.adoc[]
+User requests are managed exactly in the same way how <<console-approval,approvals>> are managed: check the
+typical request management flow as explained <<request-management,above>>.
diff --git a/src/main/asciidoc/reference-guide/concepts/concepts.adoc b/src/main/asciidoc/reference-guide/workingwithapachesyncope/adminconsole/wa.adoc
similarity index 61%
copy from src/main/asciidoc/reference-guide/concepts/concepts.adoc
copy to src/main/asciidoc/reference-guide/workingwithapachesyncope/adminconsole/wa.adoc
index a4c1fd8..e565b02 100644
--- a/src/main/asciidoc/reference-guide/concepts/concepts.adoc
+++ b/src/main/asciidoc/reference-guide/workingwithapachesyncope/adminconsole/wa.adoc
@@ -16,38 +16,12 @@
// specific language governing permissions and limitations
// under the License.
//
-== Concepts
-include::usersgroupsandanyobjects.adoc[]
+[[console-wa]]
+===== WA
-include::typemanagement.adoc[]
+The WA page allows to manage <<authentication-modules,authentication modules>>,
+<<client-applications,client applications>> and other access management features, and to immediately deploy the updated
+configuration.
-include::externalresources.adoc[]
-
-include::realms.adoc[]
-
-include::entitlements.adoc[]
-
-include::privileges.adoc[]
-
-include::roles.adoc[]
-
-include::provisioning/provisioning.adoc[]
-
-include::policies.adoc[]
-
-include::workflow.adoc[]
-
-include::notifications.adoc[]
-
-include::tasks.adoc[]
-
-include::reports.adoc[]
-
-include::audit.adoc[]
-
-include::domains.adoc[]
-
-include::implementations.adoc[]
-
-include::extensions.adoc[]
+image::wa.png[console-wa]
diff --git a/src/main/asciidoc/reference-guide/workingwithapachesyncope/customization.adoc b/src/main/asciidoc/reference-guide/workingwithapachesyncope/customization.adoc
index cd439f8..32ff483 100644
--- a/src/main/asciidoc/reference-guide/workingwithapachesyncope/customization.adoc
+++ b/src/main/asciidoc/reference-guide/workingwithapachesyncope/customization.adoc
@@ -19,8 +19,7 @@
=== Customization
[CAUTION]
-Only Maven projects can be customized: if using Standalone or Debian packages, none of the customizations discussed
-below can be applied.
+Only Maven projects can be customized: if using Standalone, none of the customizations discussed below can be applied.
Apache Syncope is designed to be as flexible as possible, to best suit the various environments
in which it can be deployed. Besides other aspects, this means that every feature and component can be extended or
@@ -354,7 +353,7 @@ Add the following dependencies to `core/pom.xml`:
Copy `core/src/main/resources/all/provisioning.properties` to `core/src/main/resources/provisioning.properties`.
[discrete]
-===== Enable the <<saml-2-0-service-provider>> extension
+===== Enable the <<saml2sp4ui>> extension
Add the following dependencies to `core/pom.xml`:
@@ -378,7 +377,7 @@ Setup a <<keystore,keystore>> and place it under the <<properties-files-location
the content of `core/src/main/resources/saml2sp4ui-logic.properties` accordingly.
[discrete]
-===== Enable the <<openid-connect-client>> extension
+===== Enable the <<oidcc4ui>> extension
Add the following dependencies to `core/pom.xml`:
@@ -562,7 +561,7 @@ Add the following dependency to `console/pom.xml`:
----
[discrete]
-===== Enable the <<saml-2-0-service-provider>> extension
+===== Enable the <<saml2sp4ui>> extension
Add the following dependencies to `console/pom.xml`:
@@ -576,7 +575,7 @@ Add the following dependencies to `console/pom.xml`:
----
[discrete]
-===== Enable the <<openid-connect-client>> extension
+===== Enable the <<oidcc4ui>> extension
Add the following dependencies to `console/pom.xml`:
@@ -630,7 +629,7 @@ Add the following dependency to `enduser/pom.xml`:
----
[discrete]
-===== Enable the <<saml-2-0-service-provider>> extension
+===== Enable the <<saml2sp4ui>> extension
Add the following dependencies to `enduser/pom.xml`:
@@ -644,7 +643,7 @@ Add the following dependencies to `enduser/pom.xml`:
----
[discrete]
-===== Enable the <<openid-connect-client>> extension
+===== Enable the <<oidcc4ui>> extension
Add the following dependencies to `enduser/pom.xml`:
@@ -657,61 +656,6 @@ Add the following dependencies to `enduser/pom.xml`:
</dependency>
----
-[[customization-enduser-i18n]]
-===== i18n
-
-The <<enduser-application>> comes with a native internationalization mechanism.
-
-Under the `enduser/src/main/webapp/app/languages/` directory, a sub-directory for each supported language is available;
-each language sub-directory contains two JSON files:
-
-* `static.json` for application messages;
-* `dynamic.json` for labels (including attributes).
-
-Changing the content of these files will result in updating the Enduser messages accordingly.
-
-[TIP]
-====
-In order to add support for a new language (taking French as reference):
-
-* add the support for the new language by updating `index.html`:
-```
- <script src="../webjars/kendo-ui-core/${kendo-ui-core.version}/js/cultures/kendo.culture.it.js"></script>
- <script src="../webjars/kendo-ui-core/${kendo-ui-core.version}/js/cultures/kendo.culture.en.js"></script>
- <script src="../webjars/kendo-ui-core/${kendo-ui-core.version}/js/cultures/kendo.culture.de.js"></script>
-```
-in
-```
- <script src="../webjars/kendo-ui-core/${kendo-ui-core.version}/js/cultures/kendo.culture.it.js"></script>
- <script src="../webjars/kendo-ui-core/${kendo-ui-core.version}/js/cultures/kendo.culture.en.js"></script>
- <script src="../webjars/kendo-ui-core/${kendo-ui-core.version}/js/cultures/kendo.culture.de.js"></script>
- <script src="../webjars/kendo-ui-core/${kendo-ui-core.version}/js/cultures/kendo.culture.fr.js"></script>
-```
-* add the new language entry in `js/app.js` under `availableLanguages`, by updating
-```
- $rootScope.languages = {
- availableLanguages: [
- {id: '1', name: 'Italiano', code: 'it', format: 'dd/MM/yyyy HH:mm'},
- {id: '2', name: 'English', code: 'en', format: 'MM/dd/yyyy HH:mm'},
- {id: '3', name: 'Deutsch', code: 'de', format: 'dd/MM/yyyy HH:mm'}
- ]
- };
-```
-as
-```
- $rootScope.languages = {
- availableLanguages: [
- {id: '1', name: 'Italiano', code: 'it', format: 'dd/MM/yyyy HH:mm'},
- {id: '2', name: 'English', code: 'en', format: 'MM/dd/yyyy HH:mm'},
- {id: '3', name: 'Deutsch', code: 'de', format: 'dd/MM/yyyy HH:mm'}
- {id: '4', name: 'Français', code: 'fr', format: 'dd/MM/yyyy HH:mm'}
- ]
- };
-```
-* copy the `enduser/src/main/webapp/app/languages/en/` directory into `enduser/src/main/webapp/app/languages/fr/`
-and modify the JSON files under the new directory
-====
-
[[customization-enduser-form]]
===== Form customization
diff --git a/src/main/asciidoc/reference-guide/workingwithapachesyncope/enduser.adoc b/src/main/asciidoc/reference-guide/workingwithapachesyncope/enduser.adoc
deleted file mode 100644
index c97e5bc..0000000
--- a/src/main/asciidoc/reference-guide/workingwithapachesyncope/enduser.adoc
+++ /dev/null
@@ -1,49 +0,0 @@
-//
-// Licensed to the Apache Software Foundation (ASF) under one
-// or more contributor license agreements. See the NOTICE file
-// distributed with this work for additional information
-// regarding copyright ownership. The ASF licenses this file
-// to you under the Apache License, Version 2.0 (the
-// "License"); you may not use this file except in compliance
-// with the License. You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing,
-// software distributed under the License is distributed on an
-// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-// KIND, either express or implied. See the License for the
-// specific language governing permissions and limitations
-// under the License.
-//
-=== Enduser Application
-Once the deployment is ready, the enduser application can be accessed at:
-
-....
-protocol://host:port/syncope-enduser/
-....
-
-where `protocol`, `host` and `port` reflect your deployment.
-
-The scope of the enduser application is primarily to provide a dedicated web-based entry-point for self-registration,
-self-service and <<password-reset,password reset>>.
-
-[.text-center]
-image::enduserLogin.png[enduser-login]
-
-Usually, organizations tend to require deep customizations not only in the appearance but often also in the actual
-mechanisms behind, in order to best suit their processes and flows. +
-This is the main reason why the enduser application is composed of an
-https://angularjs.org/[AngularJS^] frontend - which eases extension and full customization - featured by an
-http://wicket.apache.org[Apache Wicket^] backend - which proxies access to the <<core>>, thus skipping several security
-concerns at a glance.
-
-Nonetheless, the introduction of a client-side technology as AngularJS brought some important security issues to
-attention; above all, https://en.wikipedia.org/wiki/Cross-site_request_forgery[CRSF^] /
-https://en.wikipedia.org/wiki/Cross-site_request_forgery[XSRF^] and https://en.wikipedia.org/wiki/Internet_bot[BOT^]
-attacks. +
-The enduser application offers protection mechanisms against all of them, and optionally consent to embed external
-features as https://www.google.com/recaptcha/intro/index.html[Google re-Captcha^].
-
-While full-fledged front-end features are provided, it is important to highlight how these are primarily meant for
-<<customization-enduser,customization>> on a given deployment.
diff --git a/src/main/asciidoc/reference-guide/workingwithapachesyncope/enduser/enduser.adoc b/src/main/asciidoc/reference-guide/workingwithapachesyncope/enduser/enduser.adoc
new file mode 100644
index 0000000..254da17
--- /dev/null
+++ b/src/main/asciidoc/reference-guide/workingwithapachesyncope/enduser/enduser.adoc
@@ -0,0 +1,92 @@
+//
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements. See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership. The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License. You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied. See the License for the
+// specific language governing permissions and limitations
+// under the License.
+//
+=== Enduser Application
+Once the deployment is ready, the enduser application can be accessed at:
+
+....
+protocol://host:port/syncope-enduser/
+....
+
+where `protocol`, `host` and `port` reflect your deployment.
+
+The scope of the enduser application is primarily to provide a dedicated web-based entry-point for self-registration,
+self-service and <<password-reset,password reset>>.
+
+[.text-center]
+image::enduserLogin.png[enduser-login]
+
+[[enduser-accessibility]]
+==== Accessibility
+
+The End-user UI is accessible to the visually impaired.
+
+Two icons are present in the main page, in the right corner:
+
+[.text-center]
+image::accessibility-enduser01.png[title="Enduser accessibility icons",alt="Enduser accessibility icons"]
+
+By clicking the top right corner icon image:accessibility-icon01.png[Accessibility HC mode,30,30] it is possible to
+toggle the "High contrast mode".
+In this mode, the website colors are switched to a higher contrast color schema.
+
+[TIP]
+====
+The `H` https://developer.mozilla.org/en-US/docs/Web/HTML/Global_attributes/accesskey[accesskey^] shortcut can
+be used to easily toggle "High contrast mode" by using the keyboard.
+
+E.g.
+|===
+|Shortcut |Purpose
+
+|`Alt` + `Shift` + `H`
+|Toggle "High contrast mode" on Firefox and Chrome browsers on Linux
+|===
+
+====
+
+By clicking the second icon image:accessibility-icon02.png[Accessibility Increased Font mode,30,30] it is possible
+to toggle the "Increased font mode".
+In this mode, the website font size is increased.
+
+[TIP]
+====
+The `F` https://developer.mozilla.org/en-US/docs/Web/HTML/Global_attributes/accesskey[accesskey^] shortcut can
+be used to easily toggle "Increased font mode" by using the keyboard.
+
+E.g.
+|===
+|Shortcut |Purpose
+
+|`Alt` + `Shift` + `F`
+|Toggle "Increased font mode" on Firefox and Chrome browsers on Linux
+|===
+
+====
+
+To reset to the default mode, it is enough to click again on the specific icon.
+
+==== Pages
+
+include::home.adoc[]
+
+include::personal.adoc[]
+
+include::userrequests.adoc[]
+
+include::passwordreset.adoc[]
diff --git a/src/main/asciidoc/reference-guide/concepts/concepts.adoc b/src/main/asciidoc/reference-guide/workingwithapachesyncope/enduser/home.adoc
similarity index 61%
copy from src/main/asciidoc/reference-guide/concepts/concepts.adoc
copy to src/main/asciidoc/reference-guide/workingwithapachesyncope/enduser/home.adoc
index a4c1fd8..6750f29 100644
--- a/src/main/asciidoc/reference-guide/concepts/concepts.adoc
+++ b/src/main/asciidoc/reference-guide/workingwithapachesyncope/enduser/home.adoc
@@ -16,38 +16,10 @@
// specific language governing permissions and limitations
// under the License.
//
-== Concepts
-include::usersgroupsandanyobjects.adoc[]
+[[enduser-home]]
+===== Home
-include::typemanagement.adoc[]
+The Home page provides a welcome page for logged-in users.
-include::externalresources.adoc[]
-
-include::realms.adoc[]
-
-include::entitlements.adoc[]
-
-include::privileges.adoc[]
-
-include::roles.adoc[]
-
-include::provisioning/provisioning.adoc[]
-
-include::policies.adoc[]
-
-include::workflow.adoc[]
-
-include::notifications.adoc[]
-
-include::tasks.adoc[]
-
-include::reports.adoc[]
-
-include::audit.adoc[]
-
-include::domains.adoc[]
-
-include::implementations.adoc[]
-
-include::extensions.adoc[]
+image::enduserHome.png[enduser-home]
diff --git a/src/main/asciidoc/reference-guide/workingwithapachesyncope/enduser/passwordreset.adoc b/src/main/asciidoc/reference-guide/workingwithapachesyncope/enduser/passwordreset.adoc
new file mode 100644
index 0000000..1a5d02a
--- /dev/null
+++ b/src/main/asciidoc/reference-guide/workingwithapachesyncope/enduser/passwordreset.adoc
@@ -0,0 +1,68 @@
+//
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements. See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership. The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License. You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied. See the License for the
+// specific language governing permissions and limitations
+// under the License.
+//
+
+[[password-reset]]
+===== Password Reset
+
+When users lost their password, a feature is available to help gaining back access to Apache Syncope: password reset.
+
+image::passwordreset.png[title="Password reset",alt="Password reset"]
+
+The process can be outlined as follows:
+
+. user asks for password reset, typically via end-user
+. user is asked to provide an answer to the security question that was selected during self-registration or self-update
+. if the expected answer is provided, a unique token with time-constrained validity is internally generated and an
+e-mail is sent to the configured address for the user with a link - again, typically to the
+end-user - containing such token value
+. user clicks on the received link and provides new password value, typically via end-user
+. user receives confirmation via e-mail
+
+[WARNING]
+====
+The outlined procedure requires a working <<e-mail-configuration,e-mail configuration>>.
+
+In particular:
+
+* the first e-mail is generated from the `requestPasswordReset` <<notification-templates, notification template>>:
+hence, the token-based access link to the end-user is managed there;
+* the second e-mail is generated from the `confirmPasswordReset` <<notification-templates, notification template>>.
+====
+
+[TIP]
+====
+The process above requires the availability of <<security-questions,security questions>> that
+users can pick up and provide answers for.
+
+The usage of security questions can be however disabled by setting the `passwordReset.securityQuestion` value - see
+<<configuration-parameters, below>> for details.
+====
+
+[[password-reset-no-security-answer]]
+[WARNING]
+====
+Once provided via Enduser Application, the answers to security questions are *never* reported, neither via REST or Admin UI to
+administrators, nor to end-users via Enduser Application.
+
+This to avoid any information disclosure which can potentially lead attackers to reset other users' passwords.
+====
+
+[NOTE]
+In addition to the password reset feature, administrators can set a flag on a given user so that he / she is forced to
+update their password value at next login.
diff --git a/src/main/asciidoc/reference-guide/concepts/concepts.adoc b/src/main/asciidoc/reference-guide/workingwithapachesyncope/enduser/personal.adoc
similarity index 61%
copy from src/main/asciidoc/reference-guide/concepts/concepts.adoc
copy to src/main/asciidoc/reference-guide/workingwithapachesyncope/enduser/personal.adoc
index a4c1fd8..67ef973 100644
--- a/src/main/asciidoc/reference-guide/concepts/concepts.adoc
+++ b/src/main/asciidoc/reference-guide/workingwithapachesyncope/enduser/personal.adoc
@@ -16,38 +16,6 @@
// specific language governing permissions and limitations
// under the License.
//
-== Concepts
-include::usersgroupsandanyobjects.adoc[]
+===== Personal Information
-include::typemanagement.adoc[]
-
-include::externalresources.adoc[]
-
-include::realms.adoc[]
-
-include::entitlements.adoc[]
-
-include::privileges.adoc[]
-
-include::roles.adoc[]
-
-include::provisioning/provisioning.adoc[]
-
-include::policies.adoc[]
-
-include::workflow.adoc[]
-
-include::notifications.adoc[]
-
-include::tasks.adoc[]
-
-include::reports.adoc[]
-
-include::audit.adoc[]
-
-include::domains.adoc[]
-
-include::implementations.adoc[]
-
-include::extensions.adoc[]
diff --git a/src/main/asciidoc/reference-guide/identitytechnologies/identitytechnologies.adoc b/src/main/asciidoc/reference-guide/workingwithapachesyncope/enduser/userrequests.adoc
similarity index 55%
copy from src/main/asciidoc/reference-guide/identitytechnologies/identitytechnologies.adoc
copy to src/main/asciidoc/reference-guide/workingwithapachesyncope/enduser/userrequests.adoc
index 3129ab1..94f0d60 100644
--- a/src/main/asciidoc/reference-guide/identitytechnologies/identitytechnologies.adoc
+++ b/src/main/asciidoc/reference-guide/workingwithapachesyncope/enduser/userrequests.adoc
@@ -17,19 +17,14 @@
// under the License.
//
-=== Identity Technologies
+[[enduser-user-requests]]
+===== User Requests
-Identity and Access Management (IAM) is not implemented by a single technology; it is instead a composition of
-heterogeneous technologies - differing by maturity, scope, applicability and feature coverage - which require some
-'glue' to fit together.
+The images below refer to the printer assignment <<sample-user-request,sample>> and to the typical request management
+flow as explained <<request-management,above>>.
-As with other application domains, it can be observed that tools that appeared earlier tend to partially overlap with more
-recent, targeted products.
+image::enduser_userrequests_none.png[title="Initial situation: no active requests",alt="Initial situation: no active requests"]
+image::enduser_userrequests_start.png[title="Starting new request",alt="Starting new request"]
+image::enduser_userrequests_started.png[title="Filling request form",alt="Filling request form"]
-include::identitystores.adoc[]
-
-include::provisioningengines.adoc[]
-
-include::accessmanagers.adoc[]
-
-include::thecompletepicture.adoc[]
+After submit, the request is ready to be <<console-user-requests,managed>> by the configured administrators.
diff --git a/src/main/asciidoc/reference-guide/workingwithapachesyncope/restfulservices.adoc b/src/main/asciidoc/reference-guide/workingwithapachesyncope/restfulservices.adoc
index b2cb2ad..e6cf36b 100644
--- a/src/main/asciidoc/reference-guide/workingwithapachesyncope/restfulservices.adoc
+++ b/src/main/asciidoc/reference-guide/workingwithapachesyncope/restfulservices.adoc
@@ -31,19 +31,25 @@ where `protocol`, `host` and `port` reflect your deployment.
[NOTE]
.REST Reference
====
-A complete REST reference generated from https://en.wikipedia.org/wiki/Web_Application_Description_Language[WADL^] is
-https://syncope.apache.org/rest/3.0/index.html[published^] as well as made available with each deployment at
+A complete REST reference generated from https://swagger.io/specification/[OpenAPI specification 3.0^] is
+https://syncope.apache.org/rest/3.0/openapi.json[published^] as well as made available with each deployment at
....
-protocol://host:port/syncope/
+protocol://host:port/syncope/rest/openapi.json
....
where `protocol`, `host` and `port` reflect your deployment.
+
+REST APIs are available to visualize and interact via https://swagger.io/tools/swagger-ui/[Swagger UI^] at
+
+....
+protocol://host:port/syncope/
+....
====
==== REST Authentication and Authorization
-The <<core>> authentication and authorization is based on http://projects.spring.io/spring-security/[Spring Security^].
+The <<core>> authentication and authorization is based on https://spring.io/projects/spring-security[Spring Security^].
As an initial step, authentication is required to obtain, in the `X-Syncope-Token` HTTP header, the
unique signed https://en.wikipedia.org/wiki/JSON_Web_Token[JSON Web Token^] to include in all subsequent requests.
@@ -91,7 +97,7 @@ The set of RESTful services provided by Apache Syncope can be divided as:
. endpoints disclosing information about the given Syncope deployment (available <<schema,schema>>, configured
<<extensions,extensions>>, Groups, ...), requiring some sort of shared authentication defined by the
`anonymousKey` value in the `security.properties` file - for more information, read about Spring Security's
-http://docs.spring.io/spring-security/site/docs/4.2.x/reference/htmlsingle/#anonymous[Anonymous Authentication^];
+https://docs.spring.io/spring-security/site/docs/5.5.x/reference/html5/#anonymous[Anonymous Authentication^];
. endpoints for self-service (self-update, password change, ...), requiring user authentication and no entitlements;
. endpoints for administrative operations, requiring user authentication with authorization granted by the related
<<entitlements,entitlements>>, handed over to users via <<roles,roles>>.
@@ -149,10 +155,10 @@ the entity key (which may be auto-generated) and the absolute URI identifying th
If the requested operation is in error, `X-Application-Error-Code` will contain the error code (mostly from
ifeval::["{snapshotOrRelease}" == "release"]
-https://github.com/apache/syncope/blob/syncope-{docVersion}/common/lib/src/main/java/org/apache/syncope/common/lib/types/ClientExceptionType.java[ClientExceptionType^])
+https://github.com/apache/syncope/blob/syncope-{docVersion}/common/idrepo/lib/src/main/java/org/apache/syncope/common/lib/types/ClientExceptionType.java[ClientExceptionType^])
endif::[]
ifeval::["{snapshotOrRelease}" == "snapshot"]
-https://github.com/apache/syncope/blob/master/common/lib/src/main/java/org/apache/syncope/common/lib/types/ClientExceptionType.java[ClientExceptionType^])
+https://github.com/apache/syncope/blob/master/common/idrepo/lib/src/main/java/org/apache/syncope/common/lib/types/ClientExceptionType.java[ClientExceptionType^])
endif::[]
and `X-Application-Error-Info` might be optionally populated with more details, if available.
@@ -531,8 +537,8 @@ The library is available as a Maven artifact:
[source,xml,subs="verbatim,attributes"]
----
<dependency>
- <groupId>org.apache.syncope.client.idm</groupId>
- <artifactId>syncope-client-idm-lib</artifactId>
+ <groupId>org.apache.syncope.client.idrepo</groupId>
+ <artifactId>syncope-client-idrepo-lib</artifactId>
<version>{docVersion}</version>
</dependency>
----
@@ -646,8 +652,8 @@ int count = userService.search(new AnyQuery.Builder().page(0).size(0).build()).g
PagedResult<UserTO> matchingUsers = userService.search(
new AnyQuery.Builder().realm(SyncopeConstants.ROOT_REALM).
- fiql(SyncopeClient.getUserSearchConditionBuilder().is("username").equalTo("ros*ini").query()).
- build()); // <2>
+ fiql(SyncopeClient.getUserSearchConditionBuilder().is("username").
+ equalTo("ros*ini").query()).build()); // <2>
PagedResult<UserTO> matchingUsers = userService.search(
new AnyQuery.Builder().realm(SyncopeConstants.ROOT_REALM).
@@ -718,12 +724,14 @@ List<BatchResponseItem> batchResponseItems = batchResponse.getItems(); // <6>
====
[source,java]
----
-Pair<Map<String, Set<String>>, UserTO> self = client.self();
+Triple<Map<String, Set<String>>, List<String>, UserTO> self = client.self();
UserTO userTO = self.getRight(); // <1>
Map<String, Set<String>> realm2entitlements = self.getLeft(); // <2>
+List<String> delegations = self.getMiddle(); // <3>
----
<1> https://syncope.apache.org/apidocs/3.0/org/apache/syncope/common/lib/to/UserTO.html[UserTO^] of the requesting user
<2> for each <<realms,realm>>, the owned <<entitlements,entitlements>>
+<3> <<delegation,delegations>> assigned to the requesting user
====
.Change user status
diff --git a/src/main/asciidoc/reference-guide/workingwithapachesyncope/systemadministration/configurationparameters.adoc b/src/main/asciidoc/reference-guide/workingwithapachesyncope/systemadministration/configurationparameters.adoc
index 1a1a73b..a5cf9c0 100644
--- a/src/main/asciidoc/reference-guide/workingwithapachesyncope/systemadministration/configurationparameters.adoc
+++ b/src/main/asciidoc/reference-guide/workingwithapachesyncope/systemadministration/configurationparameters.adoc
@@ -19,8 +19,7 @@
==== Configuration Parameters
-Most run-time configuration options are available as parameters and can be tuned either via the admin console or
-barely invoking the REST layer through http://curl.haxx.se/[curl^]:
+Most run-time configuration options are available as parameters and can be tuned via the admin console:
* `password.cipher.algorithm` - which cipher algorithm shall be used for encrypting password values; supported
algorithms include `SHA-1`, `SHA-256`, `SHA-512`, `AES`, `S-MD5`, `S-SHA-1`, `S-SHA-256`, `S-SHA-512` and `BCRYPT`;
diff --git a/src/main/asciidoc/reference-guide/workingwithapachesyncope/systemadministration/importexport.adoc b/src/main/asciidoc/reference-guide/workingwithapachesyncope/systemadministration/importexport.adoc
index b57eff0..d4fffe0 100644
--- a/src/main/asciidoc/reference-guide/workingwithapachesyncope/systemadministration/importexport.adoc
+++ b/src/main/asciidoc/reference-guide/workingwithapachesyncope/systemadministration/importexport.adoc
@@ -79,6 +79,5 @@ file is located at:
* `$TOMCAT_HOME/webapps/syncope/WEB-INF/classes/domains/MasterContent.xml` for Standalone
-* `/usr/share/tomcat8/webapps/syncope/WEB-INF/classes/domains/MasterContent.xml` for Debian packages
* `core/src/test/resources/domains/MasterContent.xml` for Maven projects in embedded mode
* `core/src/main/resources/domains/MasterContent.xml` for Maven projects
diff --git a/src/main/asciidoc/reference-guide/workingwithapachesyncope/systemadministration/keystore.adoc b/src/main/asciidoc/reference-guide/workingwithapachesyncope/systemadministration/keystore.adoc
index 62db556..cf149ce 100644
--- a/src/main/asciidoc/reference-guide/workingwithapachesyncope/systemadministration/keystore.adoc
+++ b/src/main/asciidoc/reference-guide/workingwithapachesyncope/systemadministration/keystore.adoc
@@ -23,7 +23,7 @@ certificates, and is often used by Java-based applications for encryption, authe
Its entries are protected by a keystore password. A keystore entry is identified by an alias, and it consists of keys
and certificates that form a trust chain.
-A keystore is currently required by the <<saml-2-0-service-provider>> extension in order to sign and / or encrypt the
+A keystore is currently required by the <<saml2sp4ui>> extension in order to sign and / or encrypt the
generated SAML 2.0 requests.
While a sample keystore is provided, it is *strongly* recommended to setup a production keystore; in the following, a
diff --git a/src/main/asciidoc/reference-guide/workingwithapachesyncope/systemadministration/systemadministration.adoc b/src/main/asciidoc/reference-guide/workingwithapachesyncope/systemadministration/systemadministration.adoc
index bd2c2ac..8038033 100644
--- a/src/main/asciidoc/reference-guide/workingwithapachesyncope/systemadministration/systemadministration.adoc
+++ b/src/main/asciidoc/reference-guide/workingwithapachesyncope/systemadministration/systemadministration.adoc
@@ -31,12 +31,6 @@ was unzipped, the configuration files are located under
* `$CATALINA_HOME/webapps/syncope-console/WEB-INF/classes/`
* `$CATALINA_HOME/webapps/syncope-enduser/WEB-INF/classes/`
-Debian packages:: The configuration files will be first searched in `/etc/apache-syncope`, then under
-
-* `/usr/share/tomcat8/webapps/syncope/WEB-INF/classes/`
-* `/usr/share/tomcat8/webapps/syncope-console/WEB-INF/classes/`
-* `/usr/share/tomcat8/webapps/syncope-enduser/WEB-INF/classes/`
-
Maven project:: Assuming that `$CONF_DIRECTORY` is the directory passed among
<<deployment-directories,deployment directories>> at build time and that `$SOURCE` is the path where the Maven project
was generated, the configuration files will be first searched in
diff --git a/src/main/asciidoc/reference-guide/workingwithapachesyncope/workingwithapachesyncope.adoc b/src/main/asciidoc/reference-guide/workingwithapachesyncope/workingwithapachesyncope.adoc
index b5fb7a6..719337e 100644
--- a/src/main/asciidoc/reference-guide/workingwithapachesyncope/workingwithapachesyncope.adoc
+++ b/src/main/asciidoc/reference-guide/workingwithapachesyncope/workingwithapachesyncope.adoc
@@ -30,7 +30,7 @@ to check system requirements and to choose among the various options for obtaini
include::adminconsole/adminconsole.adoc[]
-include::enduser.adoc[]
+include::enduser/enduser.adoc[]
include::restfulservices.adoc[]
diff --git a/src/site/xdoc/mailing-lists.xml b/src/site/xdoc/mailing-lists.xml
index b323f0d..308ea76 100644
--- a/src/site/xdoc/mailing-lists.xml
+++ b/src/site/xdoc/mailing-lists.xml
@@ -56,16 +56,6 @@ under the License.
<a href="https://syncope.markmail.org/">syncope.markmail.org</a>
</td>
</tr>
- <tr class="a">
- <td>-</td>
- <td>-</td>
- <td>-</td>
- <td>-</td>
- <td>-</td>
- <td>
- <a href="https://syncope-user.1051894.n5.nabble.com/">syncope-user.1051894.n5.nabble.com</a>
- </td>
- </tr>
<tr class="b">
<td>-</td>
<td>-</td>
@@ -94,16 +84,6 @@ under the License.
<a href="https://syncope.markmail.org/">syncope.markmail.org</a>
</td>
</tr>
- <tr class="b">
- <td>-</td>
- <td>-</td>
- <td>-</td>
- <td>-</td>
- <td>-</td>
- <td>
- <a href="https://syncope-dev.1063484.n5.nabble.com/">syncope-dev.1063484.n5.nabble.com</a>
- </td>
- </tr>
<tr class="a">
<td>-</td>
<td>-</td>
@@ -156,11 +136,13 @@ under the License.
<section name="IRC">
<p>
- Join the <strong>#apache-syncope</strong> channel on FreeNode.
+ Join the <strong>#apache-syncope</strong> channel on <a href="https://libera.chat/">Libera.Chat</a>.
</p>
+ </section>
+
+ <section name="Slack">
<p>
- Communication archives are <a href="http://wilderness.apache.org/channels/#logs-%23apache-syncope">available</a>
- for reference.
+ Join the <strong>#syncope</strong> channel on <a href="https://the-asf.slack.com/archives/CEUPMC04T">Slack</a>.
</p>
</section>
</body>