Migration guide: SimpleSAMLphp/Kopano Konnect to Keycloak#
This document explains the required steps for the migration from the apps SimpleSAMLphp (SAML) and Kopano Konnect (OIDC) as IdP to the app Keycloak.
In future releases of UCS the Keycloak app will replace SimpleSAMLphp and the Kopano Konnect app as the default identity providers in UCS. The reason for this change is that Keycloak has many advantages in terms of functionality, configurability and maintainability (e.g. Keycloak provides OIDC and SAML endpoints in one component) over the alternatives.
This documentation is for system administrators who already operate UCS 5.0, make use of the single sign-on features in UCS and want to update their single sign-on configuration to Keycloak.
It covers the following topics:
Warning
The migration from SimpleSAMLphp to Keycloak is mandatory. SimpleSAMLphp is deprecated and planned for removal in a future version of UCS.
This documentation doesn’t cover the following topics:
Detailed information about the usage of the Keycloak app, see Univention Keycloak app documentation [1]
Usage of UCS, see UCS 5.0 Manual [2].
To understand this documentation, you need to know the following concepts and tasks:
Use and navigate in a remote shell on Debian GNU/Linux derivative Linux distributions like UCS. For more information, see Shell and Basic Commands from The Debian Administrator’s Handbook, Hertzog and Mas [3].
Installation and Configuration of the app Keycloak as described in Univention Keycloak app documentation [1].
Know the concepts of SAML (Security Assertion Markup Language) and OIDC (OpenID Connect) and the differences between the two standards.
Your feedback is welcome and highly appreciated. If you have comments, suggestions, or criticism, please send your feedback for document improvement.