chore: update readme (#160)

* chore: update readme * chore: update for password changes
defenseunicorns · Jul 22, 2024 · 84954a6 · 84954a6
1 parent 4cf9cd6
commit 84954a6
Showing 1 changed file with 28 additions and 1 deletion.
diff --git a/README.md b/README.md
@@ -26,9 +26,35 @@ If the default realm, plugin, theme, truststore, or jars do not provide enough f
 
 
 ## Upgrading Identity Config
+<details open>
+<summary><b>From v0.5.0 to v0.5.1</b></summary>
 
-### From v0.4.5 to v0.5.0
+This version upgrade utilizes built in Keycloak functionality for User Managed Attributes.
 
+> [!IMPORTANT]  
+> User managed attributes are only available in Keycloak 24+
+
+If upgrading without a full redeploy of keycloak the following changes will be needed:
+1. The `realm.json` will need to be updated to contain the correct User Managed Attributes definition, [User Managed Attributes Configuration](https://github.com/defenseunicorns/uds-identity-config/blob/v0.5.1/src/realm.json#L1884-L1895). The following steps can be used to do this with clickops:
+   1. In `Realm Settings` tab and on the `General` page
+      1. toggle off `User-managed access`
+      2. `Unmanaged Attributes` set to `Only administrators can write`
+   2. On `User profile` page
+      1. select the `JSON Editor` tab
+      2. Copy and Paste the value of [the User Attribute Definition from the realm.json](https://github.com/defenseunicorns/uds-identity-config/blob/v0.5.1/src/realm.json#L1891)
+      3. `Save`
+2. Incorporate STIG password rules, in accordance with these two hardening guides:
+   * [Elasticsearch 8.0 Application Server](https://github.com/user-attachments/files/16178987/Elasticsearch.8.0.Hardening.Guide.Application.Server.SRG.V3R1.pdf)
+   * [Elasticsearch 8.0 Central Log Server](https://github.com/user-attachments/files/16178988/Elasticsearch.8.0.Hardening.Guide.Central.Log.Server.SRG.V2R1.pdf)
+   * Changes:
+     1. Passwords expire in 60 days
+     2. Passwords complexity: 2 special characters, 1 digit, 1 lowercase, 1 uppercase, and 15 character minimum length
+     3. IDP session idle timeout is now 10 minutes
+     4. Maximum login attempts is now 3
+</details>
+
+<details>
+<summary><b>From v0.4.5 to v0.5.0</b></summary>
 This version upgrade brings in a new Authentication Flow for group authorization.
 
 If upgrading without a full redeploy of keycloak the following steps will be necessary to create and use group authorization:
@@ -48,3 +74,4 @@ If upgrading without a full redeploy of keycloak the following steps will be nec
       7. `Add` the `UDS Operator Group Authentication Validation`
    2. In the `Identity Providers` tab, select the `SAML` Provider
       1. Add the `Authorization` flow to the `Post login flow` in the `Advanced settings` section
+</details>