Configure Nubus for UCS

7.2. Configure Nubus for UCS#

This section covers the configuration steps in Nubus for UCS to allow administrators to access the Management UI using federated authentication.

Because federated users don’t exist as normal user objects in Nubus, you must configure additional settings to ensure that these accounts can access the Management UI and that you can store the corresponding federated account objects in the LDAP directory service.

7.2.1. UMC permissions for federated accounts#

As described in Limits and known issues, the Management UI doesn’t support delegative administration directly. Therefore, you must grant federated accounts the required UMC permissions through a policy.

To achieve this, you store all federated account objects in a dedicated LDAP container and apply a UMC policy to this container.

  1. Create a container object of type container/cn with the name federated_accounts at the position cn=univention,ldap_base. This container serves two purposes:

    • It provides a dedicated location for federated account objects.

    • It grants UMC frontend permissions through the attached UMC policy.

  2. Create a policies/umc policy that allows access to all management modules.

  3. Configure the policy to allow the UMC operation set udm-all.

  4. Link the policy to the federated_accounts container.

See also

Policies module

in Nubus Manual 1.x [5] for information about the Policy management module in the Management UI.

7.2.2. Enable federated account support in LDAP#

To allow Nubus to authenticate federated accounts, you must enable support for federated authorization identities in the LDAP server configuration.

Run the command in Listing 7.1 on all LDAP servers in your environment. This configuration activates the authorization mapping that allows the LDAP server to accept federated accounts that the identity provider authenticates.

Listing 7.1 Enable federated account authentication#
$ ucr set ldap/authz-regexp/federated-accounts=yes
$ systemctl restart slapd

7.2.3. Keycloak and single sign-on in the Management UI#

Federated authentication relies on OpenID Connect authentication through Keycloak. Therefore, you must install and configure the following components:

  • The Keycloak app in Nubus for UCS

  • Single sign-on in the Management UI using OIDC

For detailed instructions, see OpenID Connect for single sign-on in Univention Corporate Server - Operation Manual [6]. After completing these steps, Nubus can accept federated identities from the upstream identity provider.

On this page