5. Services validation and troubleshooting#

Every procedure during the migration has the potential to fail at some point. This section provides hints for troubleshooting such situations.

5.1. Log files#

As first step, review the log files of Keycloak and the connected services:

Review the log files of Keycloak and look for errors. On the UCS system that has Keycloak installed, run the following command:
```
$ univention-app logs keycloak
```
For an extensive troubleshooting guide of the Keycloak app, refer to Troubleshooting in the Univention Keycloak app documentation [1].
Review the log files of the following services:
- For UMC: /var/log/univention/management-console-web-server.log
- For Nextcloud: /var/lib/univention-appcenter/apps/nextcloud/data/nextcloud-data/nextcloud.log
- For ownCloud: /var/lib/univention-appcenter/apps/owncloud/data/files/owncloud.log
- For other services: consult the manual of the service

Also verify the configuration of Keycloak and the single sign-on settings of the services:

For OIDC services make sure that the service has the correct clientsecret and clientid. The values for these settings must match in Keycloak and the services.
For SAML services verify that the service uses the current, public certificate of the Keycloak server.
For SAML verify that the clientid in the Keycloak configuration of your SAML SP is correct. This is also the issuer for the SAML authentication request. The value is service specific, but needs to match the expectations of the service.

Additionally, verify the following items:

Ensure that all involved systems have the same and synchronized time.
Use Developer Tools of your browser to see which requests fail to narrow down the cause of the problem.