Migration guide: SimpleSAMLPHP to Keycloak

Download PDF

Services using OIDC

Contents

4.2. Services using OIDC#

The following examples demonstrate the migration of services that use OIDC for authentication and OpenID Connect Provider as IdP to Keycloak as IdP.

4.2.1. ownCloud#

This section is about the migration of the ownCloud app to use Keycloak as OIDC Provider for authentication. It assumes that your environment meets the following requirements:

  • The configuration of the app ownCloud is complete and done.

  • The OIDC sign-in for ownCloud works with OpenID Connect Provider as OIDC Provider.

  • The UCS domain has the latest version of the app Keycloak installed.

To setup ownCloud for OIDC with Keycloak use the following steps:

  1. To obtain the necessary information such as clientsecret and redirectURI, run the following command on the UCS Primary Directory Node. You need the values to create the OIDC RP, the client, in the next step.

    Listing 4.16 Get current settings for the ownCloud OIDC client#
    $ udm oidc/rpservice list --filter name=owncloud
  DN: cn=owncloud,cn=oidc,cn=univention,dc=...
    applicationtype: web
    clientid: owncloud
    clientsecret: -> copy this value
    insecure: None
    name: owncloud
    redirectURI: -> copy this value
    trusted: yes

    Look for the values of clientsecret and redirectURI and copy them, for example, into a temporary text file.

  2. To create the OIDC RP, the client, for ownCloud in Keycloak, run the following commands on the UCS system that has Keycloak installed. Replace clientsecret and redirectURI with the values for these settings in Listing 4.16 from the previous step.

    Listing 4.17 Create OIDC client for ownCloud in Keycloak#
    $ CLIENT_SECRET="REPLACE WITH clientsecret"
$ REDIRECT_URI="REPLACE WITH redirectURI"
$ univention-keycloak oidc/rp create \
   --client-secret "$CLIENT_SECRET" \
   --app-url "$REDIRECT_URI" owncloud

  3. To obtain the base URL of your Keycloak server, run the following command on the UCS system that has it installed:

    Listing 4.18 Obtain Keycloak base URL#
    $ univention-keycloak get-keycloak-base-url

    Replace SSO_URL in the following step with this value.

  4. Change the IdP setting in ownCloud. Run the following command on the UCS system that has ownCloud installed:

    Listing 4.19 Change IDP settings in ownCloud#
    $ SSO_URL="REPLACE WITH SSO_URL"
$ univention-app configure owncloud \
  --set OWNCLOUD_OPENID_PROVIDER_URL="$SSO_URL/realms/ucs"

To validate the setup, visit the sign-in page of your ownCloud app and initiate a single sign-on. ownCloud redirects you to Keycloak for authentication. You can use ownCloud after authentication.

See also

ownCloud

in Univention App Catalog

On this page