I would like to look ahead to UCS Release 5.2. And yes, that is right, we will release UCS 5.2 and not, as you would otherwise expect, UCS 5.1. Let me briefly explain the reasons for this in the following.
Table of Contents
The Technical Basis of UCS: Debian
You probably know that the proven operating system Debian GNU/Linux, which is known for stability, security, versatility and good package management, forms the technical basis of UCS. Usually, the release cycles of Debian major releases take about two years. For the maintenance and further development of UCS, this means that we update the Debian base we use for our UCS versions at regular intervals to be able to use its features and security updates in UCS as well.
The current UCS 5.0 release uses Debian 10, called “Buster”, which was released back in 2019. Meanwhile, with Debian 11, called “Bullseye”, a new Debian version was delivered in 2021. And with Debian 12, called “Bookworm”, the next version is to be released this summer.
Why the Leap to UCS 5.2
Since the current version of UCS 5.0 uses Debian 10, a switch to Debian 11 with the next minor release of UCS would be the obvious choice to implement the latest Debian version including all security updates and bug fixes as a reliable base of UCS. However, Debian 12 is already scheduled to be released this summer. Therefore, we decided to switch directly to this version, allowing all UCS users to benefit from its latest customizations.
But from a technical point of view, skipping a version is not easily done. In a proof of concept, our development team examined which is the technically cleanest and safest and most convenient way for UCS users. We decided to upgrade UCS in two steps, first from Debian 10 to Debian 11 and then directly to Debian 12. This “intermediate step” runs automatically during the update from UCS 5.0 to 5.2 and does not cause any additional effort for UCS users. However, this is the reason why there will not be a UCS 5.1 release, but you will update to UCS 5.2.
The Second Important New Feature of UCS 5.2: Keycloak
Besides the update to the latest Debian version, establishing Keycloak as the default identity provider (IDP) is the second fundamental innovation in UCS 5.2. A first version of Keycloak has been available for download in the App Center since last year. Since then, we have continued to develop the app step by step. With UCS 5.2, the fully planned feature set for Keycloak will be available.
This includes the following functions:
- Single sign-on via SAML and OpenID Connect
- Redundant operation on multiple UCS instances
- Integrated 2-factor authentication (OTP)
- Identity Federation for external IDPs and their service providers (Publication may take place as an update after the release of UCS 5.2.)
- Identity Federation to provide service providers on UCS for external IDPs
- Single sign-on with Kerberos for workstations in UCS Kerberos/Samba domains
- Configurable login mask (theme, links)
- User guidance for expired passwords and for on-boarding after registration in self service
A more detailed description of the features can be found in the UCS documentation.
New installations of UCS 5.2 will have Keycloak installed as the default IDP. SimpleSAMLphp was the IDP in UCS 5.0. For the migration of SimpleSAMLPHP, we are currently adding to the documentation and will then review at which release we will remove SimpleSAMLPHP completely. We will communicate details in a separate blog article in the coming months.
Important other planned new features for UCS 5.2:
- Complete migration from Python 2 to Python 3, which is now complete
- Upgrade to OpenLDAP 2.5
- Various user interface improvements
- more
As usual, we will publish the detailed changes in release notes for UCS 5.2 and inform you about them in our newsletter and on our blog.
You are welcome, as always, to leave your feedback and questions in the comment section of this blog article.
Update from July 04, 2023: The article has been adjusted to avoid misunderstandings. The extended 2FA functionality via PrivacyIdea is done in cooperation with NetKnights GmbH and is therefore not included in the standard scope of UCS. It has been removed from the list of functionality provided by Univention.