Two Standards But One Common Single Sign-on – Integration of SAML and OpenID Connect

The integration of Kopano Konnect in the single sign-on network of Univention Corporate Server is an additional option for users to access a range of various applications that are integrated in UCS via a single, initial login using their user name and password.
The two authentication standards SAML (Security Assertion Markup Language) and OpenID Connect have already been available to UCS users for some time. So far, however, these two technologies have been two separated worlds. If some of the web services used SAML and others OpenID Connect for the authentication against UCS’ identity management, users were forced to log in twice in those environments with multiple services. With the support of the Kopano team, we were able to release an extension of the app “OpenID Connect ID” in the App Center. This is integrating the two standards with each other and thus allows a single authentication process by the end user.
I would like to briefly explain how a single sign-on generally works with UCS. Then I explain the interaction of Kerberos, SAML, and OpenID Connect and show you which functions the new implementation of Kopano Konnect offers to UCS users.

Synchronize Password Hashes between MS Active Directory and UCS

Schaubild: UCS Kerberos-Hashes

Version 4.4-4 of Univention Corporate Server (UCS) comes with some cool new features, one of them being the new AD Connector app. It makes the synchronization of password hashes between a Microsoft Active Directory domain and a UCS domain significantly more secure and less error-prone. While previous versions could only synchronize NTLM hashes, the AD Connector of UCS 4.4-4 also reads newer hashes, the so-called Kerberos keys which allow single sign-on (SSO) to different applications.

I am a second-year trainee at Univention (job description: IT specialist for application development). I was involved in the development of the new feature and mainly had to deal with three tasks: the AD Connector itself, the OpenLDAP overlay module, and the S4 Connector (Samba). In this blog post I’m going to explain what Kerberos hashes are and how I implemented the new feature.

Film Tutorial: How to Add a Windows 10 Computer to a UCS Domain

In our 4-minute film tutorial we will show you how to add a Windows 10 computer to your UCS domain. First, we will prepare the UCS domain by installing the software package “Active Directory Domain Controller” from the Univention App Center. The Active Directory Domain Controller is an app which extends UCS with Active Directory functions. This makes it possible to operate an Active Directory compatible domain controller with UCS and thus login to a Windows client. In addition, replication mechanisms are used to synchronize data with other domain controllers.

Setting up an Automatic Account Lockout after Failed Login Attempts

By default, UCS users can enter the password incorrectly any number of times without being locked out by the system. In order to make brute force attacks to crack passwords more difficult, admins can set up an automatic lockout that prevents an account from being accessed after a user-defined number of failed attempts.

Univention Corporate Server offers several methods for authentication and authorization. In this blog article I will show you how to log failed login attempts to the system via PAM stack, OpenLDAP and Samba respectively and how you as an admin can set a limit for the number of unsuccessful logins.

Jitsi Meet and the UCS Identity Management

In recent weeks, the increased demand for video conferencing solutions has kept us in the App Center team busy with the question of how Univention can help companies, organizations and school authorities to communicate effectively in digital form without leaving out aspects of data protection. For this reason, we have intensively studied various open source solutions for video conferencing and published quickly Jitsi Meet as an app in the App Center. It is now available to UCS users for easy installation.
Jitsi is a fully encrypted and 100% open source video conferencing solution. The connection to the UCS directory service via LDAP is already configured. Therefore, administrators of a UCS environment can give users access to Jitsi with their regular username and password using the Univention Management Console (UMC). Then Jitsi can be easily accessed from the UCS portal. In this blog post, I would like to show you the most important installation steps and then focus on the different use cases regarding user authentication. Organizations can use Jitsi Meet on Univention Corporate Server (UCS) to specifically control how open they make the access to the app and which users can conduct video conferences.

Digital Offers for Schools: with Nextcloud, itslearning and Co. through the Corona Crisis – Interview City of Wolfsburg

Mr. Ostendorf, how many schools, students and teachers do you supervise in Wolfsburg?
Being an urban district, our area of responsibility includes 37 schools at 43 different locations. About 1,500 teachers teach a total of 17,000 students at these schools.

Which digital offers are you already using?
We usually have local school server solutions at our schools. We are using iServ at three vocational schools, Logodidact mostly at secondary schools and we still have the MNSPro solution at primary and a few secondary schools. A pilot project was launched four years ago with a council decision. The aim is to test a concept for the implementation of a cross-school solution that is centrally operated and maintained by the school authorities. With the support of the system house Linet Services GmbH that is located in Braunschweig we implemented an identity management system based on UCS@school at six pilot schools with around 5,000 users in 2017. The digital identities of the teachers and students are stored centrally in the identity management system and each user has a uniform user name and password. With these, the users have secure and controlled access via RADIUS to the school WiFi, which is distributed uniformly to all pilot schools. Docked to the IDM of UCS@school we also operate the learning management solution itslearning.

Register your own Account – new Self Service for SUSE and UCS

In this article I’m going to introduce our project self-registration of users via UCS Self Services, which we have just implemented for SUSE Software Solutions Germany GmbH and their Bugzilla and openSUSE Build Service (OBS). The OBS platform is mainly used to develop the openSUSE Linux distribution, but also helps to build packages for Fedora, Debian GNU/Linux, Ubuntu and, of course, SUSE Linux Enterprise. At the time of writing this article, the openSUSE Build Service hosts about 26,000 projects, approximately 190,000 packages in 36,000 repositories. About 33,000 developers use the service and have registered an account.

Digital Solutions at Bremerhaven Schools: Interview with Andreas Froberg

Mr. Froberg, how many users are you responsible for in total at the schools in Bremerhaven?

As a local education authority, we provide the IT services and IT infrastructure for almost 20,000 users all told. 18,000 of these are pupils and 1,700 are teaching staff and other employees in our 40 schools.

What digital solutions do you have in your portfolio for the schools right now?

As far as solutions for schools are concerned, Bremerhaven works in close cooperation with the education authority in Bremen and the State Institute for School (LIS). Your UCS and UCS@school solutions have already been in use in the city of Bremen for some time now. When we started thinking about introducing a learning management system in Bremerhaven four years ago, it was only natural to take a look at itslearning – the solution that Bremen had selected the year before. It quickly convinced us, and, like Bremen, we decided on a centralized, interschool concept. That’s why we operate UCS in the BIT computer center and maintain a digital identity with a username and password for each and every user in its directory service. Following the setting up of this directory service, we created a personal work e-mail address for all teaching staff and other employees at the schools. itslearning was also made available for all schools. It was initially employed at all the vocational training schools, for senior classes in the grammar schools, and at some high schools. Since its introduction, we have noticed that use of the solution by both staff and students has increased steadily. In addition, many of the staff in the elementary schools are also using itslearning for organizational purposes. The introduction of the itslearning Sofa Tutor tool, which allows teaching staff to create their own digital learning content, brought with it new impulses.

Interview with Malte Clemens: Digital Offers for Schools, City of Hannover

How many schools with how many students and teachers do you supervise?

99 schools, approx.47,000 students, approx. 5,000 teachers

Which digital offers are you already using? How do you deploy them?

The state capital of Hanover (LHH) supports the schools in their administrative tasks, such as the maintenance and software equipment of the school secretariats’ computers.
There has never been a comprehensive central IT offering for the classes. By this, a large number of individual solutions have emerged in schools in recent years. The hardware procurement was carried out by the LHH and for the support the schools received an IT budget.

Practical Use of the REST API Using the Example of EGroupware

The Univention Directory Manager (UDM) enables access to content in the LDAP directory service, for example viewing, editing, deleting, and moving of objects (users, groups, computers, printers, shares, etc.).
The UDM can be accessed and controlled via both the web interface and the command line. In UCS 4.4-2, a third option has now also been added: the REST API. This interface connects applications with the UCS directory service via HTTPS and supports the maintenance of the user properties or computer objects of the connected systems.
This article begins by explaining the technical background of the REST API and its implementation in UCS.
During the implementation of the REST API, an exciting exchange took place between Univention and the developers at EGroupware GmbH in Kaiserslautern, Germany. As a result, EGroupware became the first solution to employ the new interface in the Univention App Center. In the second section of the article, Ralf Becker from EGroupware explains the implementation of the new API and the advantages it offers providers of third-party applications.