9. Troubleshooting#

When you encounter problems with the operation of the Keycloak app, this chapter provides information where you can look closer into and to get an impression about what is going wrong.

9.1. Log files#

The Keycloak app produces different logging information in different places.

/var/log/univention/appcenter.log

Contains log information around activities in the App Center.

The App Center writes Keycloak relevant information to this file, when you run app lifecycle tasks like install, update and uninstall or when you change the app settings.

/var/log/univention/join.log

Contains log information from join processes. When the App Center installs Keycloak, the app also joins the domain.

Keycloak Docker container

The app uses the vanilla Keycloak Docker image. The App Center runs the container. You can view log information from the Keycloak Docker container with the following command:

$ univention-app logs keycloak
Keycloak Admin Console

Offers to view event logs in Events in the Manage section. Administrators can see Login Events and Admin Events. For more information, see Keycloak Server Administration Guide: Configuring auditing to track events [15].

9.2. Debugging#

To increase the log level for more log information for the Keycloak app, see keycloak/log/level.

This log level only affects the log information that Keycloak itself generates and writes to the Docker logs. The App Center sets the Docker container’s KEYCLOAK_LOGLEVEL environment variable to the value of keycloak/log/level.

9.3. Configuration of single sign-on through external public domain#

Administrators may encounter some problems when reconfiguring of the Univention Management Console and Keycloak for a custom FQDN. This section describes the most common problems that may occur.

9.3.1. Univention Management Console join script failure#

During the run of the UMC join script as described in Configuration of UMC as service provider, the join script may fail with the error code 3.

During the script run, the join script downloads the SAML metadata from the SAML IDP specified in umc/saml/idp-server. The download was unsuccessful. Check manually, for example with your web browser, if you can reach the metadata at https://$SSO_FQDN/realms/ucs/protocol/saml/descriptor. After you can load the metadata manually, run the following commands:

# Set the SAML metadata url
$ ucr set umc/saml/idp-server="https://${SSO_FQDN}/realms/ucs/protocol/saml/descriptor"

# Execute the join script again
$ univention-run-join-scripts --force --run-scripts 92univention-management-console-web-server.inst

9.3.2. Single sign-on session not refreshed#

After a sign-in to the UCS portal through single sign-on, the portal passively refreshes the user session every five minutes. If the configuration of the Keycloak virtual host in the Apache web server is incorrect, the passive refresh doesn’t work for the UCS portal or other services.

To allow external connections to Keycloak, you need to add the sources as space separated list to the UCR variable keycloak/csp/frame-ancestors.

Tip

Recommendation

To test this behavior, use a private or incognito session in your web browser.