1. Introduction

This documentation is for system administrators who already operate UCS 5.0 and explains the required steps for the migration from the single sign-on identity provider apps SimpleSAMLphp (SAML) and OpenID Connect Provider to the app Keycloak. The app OpenID Connect Provider uses Kopano Konnect to provide OpenID Connect capability to UCS.

1.1. Notes about UCS 5.2

Starting with UCS 5.2 the Keycloak app replaces the apps SimpleSAMLphp and OpenID Connect Provider as the default identity providers in UCS. The reason for this change is that Keycloak has many advantages in terms of features, configurability, and maintainability over the alternatives, for example, Keycloak provides OIDC and SAML endpoints in one component.

Warning

Migration from SimpleSAMLphp to Keycloak is mandatory before upgrading from UCS 5.0 to UCS 5.2. SimpleSAMLphp and OpenID Connect Provider are deprecated and will be removed in UCS 5.2.

If you use single sign-on for authentication in your UCS domain, read this document, migrate all services to use Keycloak as IdP and complete the migration with the steps in Prepare for the update to UCS 5.2.

If you are absolutely sure that single sign-on for authentication isn’t used in your UCS domain, you can skip the migration part and just prepare your domain for the update to UCS 5.2, following the steps in Prepare for the update to UCS 5.2.

1.2. About this document

This document covers the following topics:

1. Limitations of the Keycloak app

2. Migration procedure

3. Samples for migration of SAML and OIDC services

4. Services validation and troubleshooting

5. Prepare for the update to UCS 5.2

This documentation doesn’t cover the following topics:

• Detailed information about the usage of the Keycloak app, see Univention Keycloak app documentation [1]

• Usage of UCS, see UCS 5.0 Manual [2].

To understand this documentation, you need to know the following concepts and tasks:

• Use and navigate in a remote shell on Debian GNU/Linux derivative Linux distributions like UCS. For more information, see Shell and Basic Commands from The Debian Administrator’s Handbook, Hertzog and Mas [3].

• Installation and Configuration of the app Keycloak as described in Univention Keycloak app documentation [1].

• Know the concepts of SAML (Security Assertion Markup Language) and OIDC (OpenID Connect) and the differences between the two standards.

Your feedback is welcome and highly appreciated. If you have comments, suggestions, or criticism, please send your feedback for document improvement.