9. Troubleshooting#

When you encounter problems with the operation of the Keycloak app, this chapter provides information where you can look closer into and to get an impression about what is going wrong.

9.1. SAML assertion lifetime#

By default, SAML assertions are valid for 300 seconds. Clients must renew them no later than that to continue using them. In scenarios where renewing SAML assertions at such short intervals is too expensive for clients or servers you have to increase the lifetime of SAML assertions.

To change SAML assertion lifespan of a client, you need to:

  1. Open Keycloak Admin Console.

  2. Navigate to UCS realm ‣ Clients.

  3. Select the specific SAML client-id and go to Advanced ‣ Advanced Settings.

  4. Set the appropriate value, for example 1 hour, in the section Assertion Lifespan.

  5. Save your change by clicking on the Save button.

9.2. Log files#

The Keycloak app produces different logging information in different places.


Contains log information around activities in the App Center.

The App Center writes Keycloak relevant information to this file, when you run app lifecycle tasks like install, update and uninstall or when you change the app settings.


Contains log information from join processes. When the App Center installs Keycloak, the app also joins the domain.

Keycloak Docker container

The app uses the vanilla Keycloak Docker image. The App Center runs the container. You can view log information from the Keycloak Docker container with the following command:

$ univention-app logs keycloak
Keycloak Admin Console

Offers to view event logs in Events in the Manage section. Administrators can see Login Events and Admin Events. For more information, see Keycloak Server Administration Guide: Configuring auditing to track events [13].

9.3. Debugging#

To increase the log level for more log information for the Keycloak app, see keycloak/log/level.

This log level only affects the log information that Keycloak itself generates and writes to the Docker logs. The App Center sets the Docker container’s KEYCLOAK_LOGLEVEL environment variable to the value of keycloak/log/level.

9.4. Configuration of single sign-on through external public domain#

Administrators may encounter some problems when reconfiguring of the Univention Management Console and Keycloak for a custom FQDN. This section describes the most common problems that may occur.

9.4.1. Univention Management Console join script failure#

During the run of the UMC join script as described in Configuration of UMC as service provider, the join script may fail with the error code 3.

During the script run, the join script downloads the SAML metadata from the SAML IDP specified in umc/saml/idp-server. The download was unsuccessful. Check manually, for example with your web browser, if you can reach the metadata at https://$SSO_FQDN/realms/ucs/protocol/saml/descriptor. After you can load the metadata manually, run the following commands:

# Set the SAML metadata url
$ ucr set umc/saml/idp-server="https://${SSO_FQDN}/realms/ucs/protocol/saml/descriptor"

# Execute the join script again
$ univention-run-join-scripts --force --run-scripts 92univention-management-console-web-server.inst

9.4.2. Single sign-on session not refreshed#

After a sign-in to the UCS portal through single sign-on, the portal passively refreshes the user session every five minutes. If the configuration of the Keycloak virtual host in the Apache web server is incorrect, the passive refresh doesn’t work for the UCS portal or other services.

To allow external connections to Keycloak, you need to add the sources as space separated list to the UCR variable keycloak/csp/frame-ancestors.



To test this behavior, use a private or incognito session in your web browser.