3.4. Forward from legacy SimpleSAMLphp to Keycloak#
This section is about single sign-on between services that already use Keycloak and other services that still use SimpleSAMLphp. This configuration can be a temporary solution for environments which have a lot of services to migrate, and where single sign-on between all services needs to be available during the time of the migration. Keep in mind, that the outlined setup is only a short-term solution for your environment until all clients completed the migration to Keycloak.
Important
This setup is only important if single sign-on between migrated and not migrated services is needed during the time of the migration. Future releases will not support this setup.
Download the Keycloak IdP’s signing certificate for SAML communication and save it to the local file
/etc/ssl/certs/ucs-sso-ng.keycloak-signing.pem:$ univention-keycloak saml/idp/cert get \ --as-pem \ --output /etc/ssl/certs/ucs-sso-ng.keycloak-signing.pem
Create a client for SimpleSAMLphp in Keycloak:
$ univention-keycloak saml/sp create \ --umc-uid-mapper \ --metadata-url \ "https://${ucs_sso_fqdn}/simplesamlphp/module.php/saml/sp/metadata.php/default-sp" \ --valid-redirect-uris \ "https://${ucs_sso_fqdn}/simplesamlphp/module.php/saml/sp/saml2-acs.php/default-sp"
Change the default provider from
univention-ldaptodefault-sp:$ ucr set saml/idp/authsource=default-sp
Create a remote IdP for Keycloak in SimpleSAMLphp:
$ kc_provider=$(univention-keycloak get-keycloak-base-url) $ cat <<EOF > /etc/simplesamlphp/metadata/saml20-idp-remote.php <?php \$metadata['https://${kc_provider}/realms/ucs'] = [ 'SingleSignOnService' => '${kc_provider}/realms/ucs/protocol/saml', 'SingleLogoutService' => '${kc_provider}/realms/ucs/protocol/saml', 'certificate' => 'ucs-sso-ng.keycloak-signing.pem', 'authproc' => array( 50 => array( 'class' => 'core:AttributeCopy', 'urn:oid:0.9.2342.19200300.100.1.1' => 'uid', ), ), ]; EOF