4. Requirements and limitations#
To ensure a smooth operation of the Keycloak app on UCS, administrators need to know the following requirements and limitations:
4.1. User federation and synchronization#
The app configures a user federation in the realm UCS. Don’t remove the user federation or Keycloak won’t be able to resolve users anymore.
The configured user federation in the realm UCS doesn’t synchronize the user accounts from the UCS LDAP to Keycloak. For more information, see Design decisions.
4.2. Installation on Primary Directory Node#
The App Center installs the Keycloak app only on a Primary Directory Node in your UCS environment, see Installation. The app is therefore not suitable for production use in UCS domains that have Backup Directory Nodes.
Use the Keycloak app only in a UCS environment without Backup Directory Nodes, because otherwise:
Users may encounter sign in problems at the UCS management system on other UCS systems.
Other apps may not be able to authenticate users through SAML without manual interaction.
The installation might not break anything in production. But, experiments with
reconfiguration of, for example, UMC and other services so that they use
Keycloak, may have undesired results. In particular, when you change the UCR
variable umc/saml/idp-server
to point to your Keycloak installation.
The LDAP server will not recognize SAML tickets that the simpleSAMLphp based
identity provider issued after you restart it. Users will experience
invalidation of their existing sessions.
4.3. No user activation for SAML#
In the Users UMC module, the user account’s SAML settings at
don’t require anymore that administrators activate identity providers for user accounts. Therefore, any user account can use SAML for single sign-on. The behavior is the same as for the OIDC capability before through the Kopano Connect app.4.4. Password restriction#
Keycloak offers a password policies feature, see Keycloak Server Administration Guide: Password policies [6]. Because of the user federation with UCS, see Design decisions, Keycloak doesn’t manage the users credentials.
UCS takes care of password policy definition and enforcement. For more information, see LDAP directory in UCS 5.0 Manual [2].