3.2. Migration of services using OIDC for authentication#
This section gives a general idea about the migration of services that use OpenID Connect Provider as OIDC Provider for the authentication to Keycloak as OIDC Provider.
The general approach for the migration includes the following:
Install the latest version of the Keycloak app in the UCS domain.
Get an overview of all the services that use OpenID Connect Provider and their settings.
Create an OIDC RP, the client, in Keycloak for every service that uses OpenID Connect Provider as OIDC Provider.
Change the OIDC settings in the services to use Keycloak as OIDC Provider and validate the setup.
To setup a service for OIDC with Keycloak use the following steps:
The UDM module
oidc/rpserviceconfigures services that use OpenID Connect Provider. To get a list of all the services and settings, run the following command on the UCS Primary Directory Node:$ udm oidc/rpservice list
Each service has a
clientid, aclientsecret, and aredirectURI. You need the values of these settings to create identical clients for the service in Keycloak. On the UCS system where you have installed Keycloak, create an OIDC client with the following command:$ univention-keycloak oidc/rp create \ --client-secret clientsecret \ --app-url redirectURI \ clientid
Note
In case you made custom settings of your OpenID Connect Provider installation, review the following files on your UCS system, that has the app installed:
/etc/kopano/konnectd.cfg/etc/kopano/konnectd-identifier-registration.yaml/etc/kopano/konnectd-identifier-scopes.yaml
You can also use the Keycloak Admin Console to create OIDC clients manually or to adjust clients created with
univention-keycloak oidc/rp create. See also Keycloak as OpenID Connect provider for more information on how to manage OIDC client clients with Keycloak.After you created the OIDC client for your service, you need to change the IdP settings that point to the OIDC Provider in the OIDC configuration of the service. Because the services are highly individual in the way they configure OIDC, this documentation can’t provide a general description. At least, you need the base URL of your Keycloak server. Run the following command on the UCS system that has Keycloak installed:
$ univention-keycloak get-keycloak-base-url
Some services may need to configure the OIDC Provider URL. Its value is
SSO_URL/realms/ucs. ReplaceSSO_URLwith the output from the previous command.Other services may have individual settings for the authorization endpoint, the token endpoint, and so on. To get these URLs, run the following commands on the Keycloak server.
$ SSO_URL="$(univention-keycloak get-keycloak-base-url)" $ univention-install jq $ curl "$SSO_URL/realms/ucs/.well-known/openid-configuration" | jq { "issuer": "https://ucs-sso-ng.example.com/realms/ucs", "authorization_endpoint": "https://ucs-sso-ng.example.com/realms/ucs/protocol/openid-connect/auth", "token_endpoint": "https://ucs-sso-ng.example.com/realms/ucs/protocol/openid-connect/token", "introspection_endpoint": "https://ucs-sso-ng.example.com/realms/ucs/protocol/openid-connect/token/introspect", "userinfo_endpoint": "https://ucs-sso-ng.example.com/realms/ucs/protocol/openid-connect/userinfo", "end_session_endpoint": "https://ucs-sso-ng.example.com/realms/ucs/protocol/openid-connect/logout", ... }
You don’t need to change the settings for the client name and secret, because you have created an OIDC client with identical values in Keycloak.
To get a better picture using OIDC with Keycloak, have a look at the examples given in section Services using OIDC.