Release UCS 4.4-5 brings improvements in Single Sign-on, Self Service, more performance for LDAP and compatibility with Python 3

The release of version 4.4-5 of Univention Corporate Server (UCS) brings a series of technical innovations for the Single Sign-on of users to applications connected to UCS. There are also new functions for the UCS Self Service. Users can now register themselves at a UCS domain via the User Self Service and create a user account, assign a user name and password, and store further information. Performance improvements in the LDAP directory service have accelerated the replication of groups. And in preparation for UCS 5.0, which is scheduled for release at the end of this year, our development department has made more than 45 UCS packages compatible with Python 3. So when you upgrade to UCS 5.0, the corresponding code parts in UCS will run for both Python 2 and Python 3. In addition, we have also published a preview of the new UCS 5 portal as an app in the App Center for testers. It already brings important new technical features such as embedding apps directly into the portal page.

Set up Single Sign-on via SAML for complete groups

UCS system administrators can now assign usage authorization to complete groups for applications that support Single Sign-on via SAML. This greatly simplifies the management of user access for organizations that have many users with different tasks and authorizations for using IT services. Read more about this topic in the blog article Create an SSO Login for Applications to Groups.

For the Single Sign-on connection to the identity management of apps or external services via SAML, it is now also possible to map the user attributes stored in the LDAP directory service to the attribute names expected in SAML claims per application or service using a configurable mapping. For example, the LDAP attribute name for e-mail addresses “mailPrimaryAddress” can be mapped to the attribute name “e-mail” expected by an application. This makes it possible to connect more services via SAML to UCS that expect a fixed set of user attributes for the login via Single Sign-on.

New OpenID Connect Provider integrates authentication of OpenID Connect and SAML

But there are not only innovations for Single Sign-on with SAML. Recently, the Univention App Center has made available an updated version of the OpenID Connect Provider App for integration in UCS which also supports SAML as an authentication backend for OpenID Connect. Thanks to this, users who are logged in to UCS using Single Sign-on via SAML can now also use those applications that authenticate via the OpenID Connect technology without having to log in a second time. No matter which of the two standards – SAML or OpenID Connect – is used by an application for user authentication, Single Sign-on now works across all standards in UCS. Read more on this in the article: Two Standards But One Common Single Sign-on – Integration of SAML and OpenID Connect.

Create your own user account for UCS via User Self Service

From now on, users can create their own user account in UCS via the new User Self Service, edit their profile and login data, and deactivate the account themselves. The UCS system administrators must activate the function for this purpose and can determine which attributes are required for registration and which functions are activated. After self-registration, users only need to verify their e-mail address for registration. Find more about this functionality in the manual and in the blog article Register your own Account – new Self Service for SUSE and UCS.

Performance improvements in the LDAP directory service

In the last few weeks, we have also achieved performance improvements in UCS in terms of handling large user groups. These improvements are especially accelerating the replication of large groups. Thanks to this, changes are more quickly available in the UCS environment and in connected services. The algorithm for establishing a connection to the LDAP directory service for the local resolution of group memberships has been further improved by giving the local LDAP server, e.g. on a UCS domain controller, priority over other LDAP servers. This improves the distribution of the query load among the LDAP servers of a UCS environment and avoids load peaks in UCS@school, e.g. when creating a class exam.

Preparations for UCS 5.0: Step-by-step implementation of package compatibility for Python 3

In preparation for the release of UCS 5.0, we have created compatibility on Python 3 in over 45 packages. By creating Python 3 compatibility step by step, we want to ensure that when you upgrade to UCS 5.0, the corresponding code parts in UCS can be executed for both Python 2 and Python 3.

The new UCS 5 portal: Preview published as an app in the Univention App Center

With the Univention Portal Preview App, administrators of UCS 4.4 can already take a look at the functionality of the new UCS portal, which is scheduled to be available with the release of UCS 5 at the end of this year. This preview should not be used in a productive environment if not assisted by Univention as installation and uninstallation pose a number of technical challenges. An outstanding innovation will be the direct embedding of applications into the portal. The applications open in the portal and users can work with them directly there. The new portal will also bring some usability improvements in navigation and handling. Find more about the Portal Preview in the App Catalog.

Security Updates for Linux, Bind, OpenLDAP, and SAMBA

The UCS release 4.4-5 includes the following security updates:

• Linux Kernel 4.9.210-1
• Bind9 9.10.3.dfsg.P4-12.3
• OpenLDAP 2.4.45
• Samba 4.10.1-1

A overview of the technical updates can be found in the Release Notes.