With UCS 5.2 Keycloak will become the standard IDP for SAML and OpenID Connect authentication and will replace the current SimpleSAMLPHP and Kopano Connect apps. Read more about the big picture in our blog article Migration of the Identity Provider in UCS – Keycloak App now Part of the Support Scope. The first step we made was the release of Keycloak as a supported Univention app at the end of 2022. Since then, a lot of work has been done to make the Keycloak app a worthy replacement for the SimpleSAMLphp integration.
So, we are making steady progress on our mission to reach feature parity with our SimpleSAMLphp integration. And since the initial release of the Keycloak app, we have also released several app updates each adding new features in terms of a smooth integration into UCS and more configurability.
In this article, we would like to showcase some of the work that has been done over the last few months.
Table of Contents
Single Sign-on through External Public Domain Name and Let’s Encrypt Integration
By default, the UCS Keycloak app uses an internal name for the Single Sign-on endpoint. For administrators who want Single Sign-on availability from the internet, we have added app settings and documentation that allow them to freely choose the name of the Keycloak endpoint.
A common scenario is to have the Keycloak server running on a different name than the UCS portal:
- portal.extern.com -> UCS Portal
- auth.extern.com -> Keycloak Single Sign-on endpoint
There are some preconditions for this setup. You must have a public DNS record for the name of the Keycloak server and you need a valid certificate for this server name, but once that is available you can configure this setup with the following app settings on the command line or with the UMC app settings for the Keycloak app.
- keycloak/server/sso/fqdn → auth.extern.com
- keycloak/server/sso/autoregistration → false
- keycloak/apache2/ssl/certificate → /path/to/certfificate/for/auth.extern.com
- keycloak/apache2/ssl/key → /path/to/private/key/for/auth.extern.com
- keycloak/csp/frame-ancestors → https://*.extern.com