Migration of services using OIDC for authentication

3.2. Migration of services using OIDC for authentication#

This section gives a general idea about the migration of services that use OpenID Connect Provider as OIDC Provider for the authentication to Keycloak as OIDC Provider.

The general approach for the migration includes the following:

  • Install the latest version of the Keycloak app in the UCS domain.

  • Get an overview of all the services that use OpenID Connect Provider and their settings.

  • Create an OIDC RP, the client, in Keycloak for every service that uses OpenID Connect Provider as OIDC Provider.

  • Change the OIDC settings in the services to use Keycloak as OIDC Provider and validate the setup.

To setup a service for OIDC with Keycloak use the following steps:

  1. The UDM module oidc/rpservice configures services that use OpenID Connect Provider. To get a list of all the services and settings, run the following command on the UCS Primary Directory Node:

    Listing 3.1 List all services that use OpenID Connect Provider for OIDC#
    $ udm oidc/rpservice list
    
  2. Each service has a clientid, a clientsecret, and a redirectURI. You need the values of these settings to create identical clients for the service in Keycloak. On the UCS system where you have installed Keycloak, create an OIDC client with the following command:

    Listing 3.2 Create an OIDC client for the service in Keycloak#
    $ univention-keycloak oidc/rp create \
      --client-secret clientsecret \
      --app-url redirectURI \
      clientid
    

    Note

    In case you made custom settings of your OpenID Connect Provider installation, review the following files on your UCS system, that has the app installed:

    • /etc/kopano/konnectd.cfg

    • /etc/kopano/konnectd-identifier-registration.yaml

    • /etc/kopano/konnectd-identifier-scopes.yaml

  3. You can also use the Keycloak Admin Console to create OIDC clients manually or to adjust clients created with univention-keycloak oidc/rp create. See also Keycloak as OpenID Connect provider for more information on how to manage OIDC client clients with Keycloak.

  4. After you created the OIDC client for your service, you need to change the IdP settings that point to the OIDC Provider in the OIDC configuration of the service. Because the services are highly individual in the way they configure OIDC, this documentation can’t provide a general description. At least, you need the base URL of your Keycloak server. Run the following command on the UCS system that has Keycloak installed:

    Listing 3.3 Get base URL of the Keycloak server#
    $ univention-keycloak get-keycloak-base-url
    
  5. Some services may need to configure the OIDC Provider URL. Its value is SSO_URL/realms/ucs. Replace SSO_URL with the output from the previous command.

    Other services may have individual settings for the authorization endpoint, the token endpoint, and so on. To get these URLs, run the following commands on the Keycloak server.

    Listing 3.4 Get different endpoint URLs#
    $ SSO_URL="$(univention-keycloak get-keycloak-base-url)"
    $ univention-install jq
    $ curl "$SSO_URL/realms/ucs/.well-known/openid-configuration" | jq
    {
      "issuer": "https://ucs-sso-ng.example.com/realms/ucs",
      "authorization_endpoint": "https://ucs-sso-ng.example.com/realms/ucs/protocol/openid-connect/auth",
      "token_endpoint": "https://ucs-sso-ng.example.com/realms/ucs/protocol/openid-connect/token",
      "introspection_endpoint": "https://ucs-sso-ng.example.com/realms/ucs/protocol/openid-connect/token/introspect",
      "userinfo_endpoint": "https://ucs-sso-ng.example.com/realms/ucs/protocol/openid-connect/userinfo",
      "end_session_endpoint": "https://ucs-sso-ng.example.com/realms/ucs/protocol/openid-connect/logout",
      ...
    }
    

    You don’t need to change the settings for the client name and secret, because you have created an OIDC client with identical values in Keycloak.

To get a better picture using OIDC with Keycloak, have a look at the examples given in section Services using OIDC.