As announced, we will introduce Keycloak as the default identity provider (IDP) with UCS 5.2. That raises the question of how long the previous IDP based on SimpleSAMLphp will be supported in UCS. In this article, I explain why we have decided to link the maintenance period of SimpleSAMLphp with that of UCS Release 5.0 and what steps are necessary for existing UCS installations.
Overview
Key points summarized:
- Support for the “old” IDP implementation based on SimpleSAMLphp will be discontinued
- Existing UCS installations can already switch to Keycloak as IDP today and would thus be prepared for the upcoming changes early on
- With UCS 5.2 only Keycloak will be available as IDP
- UCS 5.0 will continue to support the existing IDP (SimpleSAMLphp/Kopano Konnect) from Univention until at least the end of 2024
What Happened So Far
UCS has supported web-based single sign-on since the release of UCS 4.1 in 2015 using the SAML implementation “SimpleSAMLphp”, which was later extended to include the OpenID Connect protocol with the optional “Kopano Konnect” application. With the development of UCS 5.0 in 2022, we have decided to rely on Keycloak as our future web-based single sign-on software. Keycloak will replace SimpleSAMLphp as the default in UCS with UCS 5.2. Since mid-2023, Keycloak is not only able to replace all functions of SimpleSAMLphp, but also comes with detailed documentation for migration.
However, it was unclear how long customers would be able to use SimpleSAMLphp with support from Univention.
Maintenance for SimpleSAMLphp at least until End of 2024
SimpleSAMLphp is an integral part of UCS 5.0 and will continue to be supported with all future patch level releases of UCS 5.0. Enterprise customers will continue to receive support for UCS 5.0 for at least one year after the release of the next minor release, UCS 5.2. While work on UCS 5.2 is progressing, we currently anticipate that it will only be released during 2024. Therefore, we will continue to provide security updates and support for UCS 5.0 to our enterprise customers throughout 2024.
However, the ongoing work on the migration and on UCS 5.2 has also shown us that supporting both implementations at the same time will not only result in additional work for Univention and for application vendors, but will also limit the depth of integration and functionality of Keycloak in UCS. We have therefore decided to discontinue support for SimpleSAMLphp and the Kopano Konnect based on it in UCS 5.2.
What Does This Mean for Existing UCS Installations?
Nothing at first. The installed systems will continue to be supported by Univention until at least the end of 2024. Regardless of whether an implementation is used at all, and regardless of which implementation is used for web single sign-on.
For the upgrade to the next minor release UCS 5.2, however, it will be necessary to replace SimpleSAMLphp and Kopano Konnect with Keycloak in the UCS domain. Mixed environments with Keycloak and active SimpleSAMLphp are only possible as long as no system has been upgraded to UCS 5.2. We have documented the necessary steps to migrate to Keycloak in a migration guide, which also describes how this process can be done unnoticed by end users.
Our recommendation is therefore:
- If you currently use UCS with SimpleSAMLphp, please plan to migrate to Keycloak in the next few months.
- If you are setting up new environments with UCS today, use Keycloak from the beginning to connect services via web single sign-on.
If you have any questions about the migration, our enterprise customers can use the support channels, and all users can visit our help forum.
