diff --git a/docbook/reference/en/en-US/master.xml b/docbook/reference/en/en-US/master.xml
index 3487d3c537a..751436c4c2a 100755
--- a/docbook/reference/en/en-US/master.xml
+++ b/docbook/reference/en/en-US/master.xml
@@ -13,6 +13,7 @@
+
@@ -121,6 +122,7 @@ This one is short
&UserFederation;
&ExportImport;
&ServerCache;
+ &SAML;
&SecurityVulnerabilities;
&Clustering;
&Migration;
diff --git a/docbook/reference/en/en-US/modules/Overview.xml b/docbook/reference/en/en-US/modules/Overview.xml
index d14169e1f87..3361e0dbc11 100755
--- a/docbook/reference/en/en-US/modules/Overview.xml
+++ b/docbook/reference/en/en-US/modules/Overview.xml
@@ -73,6 +73,9 @@
OpenID Connect Support.
+
+ SAML Support.
+
CORS Support
@@ -89,13 +92,13 @@
Account Management console that allows users to manage their own account, view their open sessions, reset passwords, etc.
- Deployable as a WAR, appliance, or on Openshift.
+ Deployable as a WAR, appliance, or on Openshift. Completely clusterable.
Multitenancy support. You can host and manage multiple realms for multiple organizations.
- Supports JBoss AS7, EAP 6.x, Wildfly and JavaScript applications. Plans to support Node.js, RAILS, GRAILS, and other non-Java deployments
+ Supports JBoss AS7, EAP 6.x, Wildfly and Pure JavaScript applications. Plans to support Node.js, RAILS, GRAILS, and other non-Java deployments
diff --git a/docbook/reference/en/en-US/modules/saml.xml b/docbook/reference/en/en-US/modules/saml.xml
new file mode 100755
index 00000000000..1f6a1a37247
--- /dev/null
+++ b/docbook/reference/en/en-US/modules/saml.xml
@@ -0,0 +1,97 @@
+
+ SAML SSO
+
+ Keycloak supports SAML 2.0 for registered applications. Both POST and Redirect bindings are supported. You can choose
+ to require client signature validation and can have the server sign and/or encrypt responses as well. We do not
+ yet support logout via redirects. All logouts happen via a background POST binding request to the application
+ that will be logged out. We do not support SAML 1.1 either. If you want support for either of those, please
+ log a JIRA request and we'll schedule it.
+
+
+ When you create an application in the admin console, you can choose which protocol the application will log in with.
+ In the application create screen, choose saml from the protocol list. After that there
+ are a bunch of configuration options. Here is a description of each item:
+
+
+
+
+ Include AuthnStatement
+
+
+ SAML login responses may specify the authenticaiton method used (password, etc.) as well as
+ a timestamp of the login. Setting this to on will include that statement in the response document.
+
+
+
+
+ Multi-valued Roles
+
+
+ If this switch is off, any user role mapings will have a corresponding attribute created for it.
+ If this switch is turn on, only one role attribute will be created, but it will have
+ multiple values within in.
+
+
+
+
+ Sign Documents
+
+
+ When turned on, Keycloak will sign the document using the realm's private key.
+
+
+
+
+ Sign Assertions
+
+
+ With the Sign Documents switch signs the whole document. With this setting
+ you just assign the assertions of the document.
+
+
+
+
+ Signature Algorithm
+
+
+ Choose between a variety of algorithms for signing SAML documents.
+
+
+
+
+ Encrypt Assertions
+
+
+ Encrypt assertions in SAML documents with the realm's private key. The AES algorithm is used
+ with a key size of 128 bits.
+
+
+
+
+ Client Signature Required
+
+
+ Expect that documents coming from a client are signed. Keycloak will validate this signature
+ using the client keys set up in the Application Keys submenu item.
+
+
+
+
+ Force POST Binding
+
+
+ By default, Keycloak will respond using the initial SAML binding of the original request. By turning
+ on this switch, you will force Keycloak to always respond using the SAML POST Binding even if the
+ original request was a the Redirect binding.
+
+
+
+
+
+
+ One thing to note is that roles are not treated as a hierarchy. So, any role mappings will just be added
+ to the role attributes in the SAML document using their basic name. So, if you have multiple applicaiton roles
+ you might have name collisions. You can use the Scope Mapping menu item to control which role mappings are set
+ in the response.
+
+
diff --git a/docbook/reference/en/en-US/modules/security-vulnerabilities.xml b/docbook/reference/en/en-US/modules/security-vulnerabilities.xml
index 246cfd09542..49a29882feb 100755
--- a/docbook/reference/en/en-US/modules/security-vulnerabilities.xml
+++ b/docbook/reference/en/en-US/modules/security-vulnerabilities.xml
@@ -152,4 +152,13 @@
At this point in time, there is no knowledge of any SQL injection vulnerabilities in Keycloak
+
+ Limiting Scope
+
+ Using the Scope menu in the admin console for oauth clients or applications, you can control
+ exactly which role mappings will be included within the token sent back to the client or application. This
+ allows you to limit the scope of permissions given to the application or client which is great if the client isn't
+ very trusted and is known to not being very careful with its tokens.
+
+
\ No newline at end of file
diff --git a/forms/common-themes/src/main/resources/theme/admin/base/resources/partials/application-detail.html b/forms/common-themes/src/main/resources/theme/admin/base/resources/partials/application-detail.html
index 2c61c34e712..165e57d4bec 100755
--- a/forms/common-themes/src/main/resources/theme/admin/base/resources/partials/application-detail.html
+++ b/forms/common-themes/src/main/resources/theme/admin/base/resources/partials/application-detail.html
@@ -56,13 +56,6 @@
-