7. Requirements and limitations#

To ensure a smooth operation of the Keycloak app on UCS, administrators need to know the following requirements and limitations:

7.1. User federation and synchronization#

The app configures a user federation in the realm UCS. Don’t remove the user federation or Keycloak won’t be able to resolve users anymore.

The configured user federation in the realm UCS doesn’t synchronize the user accounts from the UCS LDAP to Keycloak. For more information, see Design decisions.

7.2. Installation on UCS#

The App Center installs the app Keycloak on a UCS 5.0-x Primary Directory Node or Backup Directory Node in your UCS environment, see Installation. The app is suitable for production use in UCS domains. Administrators need to keep in mind, other apps may be unable to authenticate users through SAML without manual reconfiguration.

Administrators need to take care with experiments that involve the reconfiguration, for example, of UMC, and other services to use Keycloak. The experiments may have undesired results. In particular, when you change the UCR variable umc/saml/idp-server to point to your Keycloak installation and restart the LDAP server, the LDAP server doesn’t accept SAML tickets any longer that the simpleSAMLphp based identity provider issued. So users find their existing sessions invalidated.

7.3. No user activation for SAML#

In the Users UMC module, the user account’s SAML settings at Account ‣ SAML settings don’t require anymore that administrators activate identity providers for user accounts. Therefore, any user account can use SAML for single sign-on. The behavior is the same as for the OIDC capability before through the OpenID Connect Provider app.

7.4. Password restriction#

Keycloak offers a password policies feature, see Keycloak Server Administration Guide: Password policies [11]. Because of the user federation with UCS, see Design decisions, Keycloak doesn’t manage the users credentials.

UCS takes care of password policy definition and enforcement. For more information, see LDAP directory in UCS 5.0 Manual [2].

7.5. Application clients#

Keycloak offers the possibility to create SAML or OIDC clients using the command line tool univention-keycloak. Administrators can adjust the generic client configuration, if they need a specific configuration. In this case you can use the Keycloak Admin Console.