Migration guide: SimpleSAMLphp/Kopano Konnect to Keycloak#

This document explains the required steps for the migration from the apps SimpleSAMLphp (SAML) and Kopano Konnect (OIDC) as IdP to the app Keycloak.

In future releases of UCS the Keycloak app will replace SimpleSAMLphp and the Kopano Konnect app as the default identity providers in UCS. The reason for this change is that Keycloak has many advantages in terms of functionality, configurability and maintainability (e.g. Keycloak provides OIDC and SAML endpoints in one component) over the alternatives.

This documentation is for system administrators who already operate UCS 5.0, make use of the single sign-on features in UCS and want to update their single sign-on configuration to Keycloak.

It covers the following topics:

  1. Limitations of the Keycloak app

  2. Migration procedure

  3. Samples for migration of SAML and OIDC services

  4. Services validation and troubleshooting


The migration from SimpleSAMLphp to Keycloak is mandatory. SimpleSAMLphp is deprecated and planned for removal in a future version of UCS.

This documentation doesn’t cover the following topics:

  • Detailed information about the usage of the Keycloak app, see Univention Keycloak app documentation [1]

  • Usage of UCS, see UCS 5.0 Manual [2].

To understand this documentation, you need to know the following concepts and tasks:

Your feedback is welcome and highly appreciated. If you have comments, suggestions, or criticism, please send your feedback for document improvement.