3. Migration procedure#
Keycloak replaces SimpleSAMLphp and the app OpenID Connect Provider as SAML IDP and OIDC provider in a future release of UCS. This section provides a general overview of the migration steps and the required considerations to make before migrating. This migration guide focuses on exclusively on UCS 5.0.
Before the migration can take place, please keep in mind:
You can migrate services step by step.
The migration is a manual process.
Create a backup of the current single sign-on configuration of your services before the migration, so that you can rollback in case a problem occurs.
SimpleSAMLphp and OpenID Connect Provider still work even if you installed Keycloak.
After you migrated a service, existing user sessions become invalid. Users have to sign in to the migrated service again.
The migration of one or multiple services always includes at least the following steps:
The installation and configuration of the Keycloak app. For a detailed description, see Installation in the Univention Keycloak app documentation [1].
The creation of OIDC RP or SAML SP, referred to as clients in this document, in Keycloak for each service. For more information about how to create those clients, refer to Migration of services using OIDC for authentication and Migration of services using SAML for authentication.
The update of the single sign-on configuration of the services to use Keycloak as IdP. Have a look at the examples in Samples for migration of SAML and OIDC services.
The verification that single sign-on works with Keycloak as IdP
Contents
- 3.1. Prerequisites
- 3.2. Migration of services using OIDC for authentication
- 3.3. Migration of services using SAML for authentication
- 3.4. Forward from legacy SimpleSAMLphp to Keycloak
- 3.5. Kerberos