Forward from legacy SimpleSAMLphp to Keycloak

3.4. Forward from legacy SimpleSAMLphp to Keycloak#

This section is about single sign-on between services that already use Keycloak and other services that still use SimpleSAMLphp. This configuration can be a temporary solution for environments which have a lot of services to migrate, and where single sign-on between all services needs to be available during the time of the migration. Keep in mind, that the outlined setup is only a short-term solution for your environment until all clients completed the migration to Keycloak.

Important

This setup is only important if single sign-on between migrated and not migrated services is needed during the time of the migration. Future releases will not support this setup.

  1. Download the Keycloak IdP’s signing certificate for SAML communication and save it to the local file /etc/ssl/certs/ucs-sso-ng.keycloak-signing.pem:

    Listing 3.14 Download Keycloak certificate#
    $ univention-keycloak saml/idp/cert get \
    --as-pem \
    --output /etc/ssl/certs/ucs-sso-ng.keycloak-signing.pem
    
  2. Create a client for SimpleSAMLphp in Keycloak:

    Listing 3.15 Create client for SimpleSAMLphp#
    $ univention-keycloak saml/sp create \
    --umc-uid-mapper \
    --metadata-url \
    "https://${ucs_sso_fqdn}/simplesamlphp/module.php/saml/sp/metadata.php/default-sp" \
    --valid-redirect-uris \
    "https://${ucs_sso_fqdn}/simplesamlphp/module.php/saml/sp/saml2-acs.php/default-sp"
    
  3. Change the default provider from univention-ldap to default-sp:

    Listing 3.16 Change default provider#
    $ ucr set saml/idp/authsource=default-sp
    
  4. Create a remote IdP for Keycloak in SimpleSAMLphp:

    Listing 3.17 Create remote IdP for Keycloak in SimpleSAMLphp#
    $ kc_provider=$(univention-keycloak get-keycloak-base-url)
    $ cat <<EOF > /etc/simplesamlphp/metadata/saml20-idp-remote.php
      <?php
      \$metadata['https://${kc_provider}/realms/ucs'] = [
        'SingleSignOnService'  => '${kc_provider}/realms/ucs/protocol/saml',
        'SingleLogoutService'  => '${kc_provider}/realms/ucs/protocol/saml',
        'certificate'          => 'ucs-sso-ng.keycloak-signing.pem',
        'authproc' => array(
          50 => array(
            'class' => 'core:AttributeCopy',
            'urn:oid:0.9.2342.19200300.100.1.1' => 'uid',
          ),
        ),
      ];
      EOF