2. Authentication#
Nubus provides a central login page through the Univention Portal. You can sign in to the Management UI with the credentials of the respective user account. This section describes the sign-in to Nubus and covers the following topics:
2.1. Sign-in#
If a page in the Management UI, such as a management module, requires a login, your browser redirects you to the sign-in page. When you sign in at Nubus, the browser session closes after 8 hours of inactivity by default. To renew the session, you must sign in again.
Depending on the installation, you find the sign-in at the following locations:
In the UCS appliance, you find the portal to sign in
at https://FQDN/univention/portal/,
where FQDN is the fully qualified domain name of the appliance.
- Example
https://ucs.example.com/univention/portal/.
In Nubus for Kubernetes,
you find the portal to sign in at https://portal.global.domain/univention/portal.
If you don’t know the URL to the portal, ask your operator.
The value for global.domain locates
in the global.domain
of the Helm Chart.
On the portal you can use the following ways to sign in:
Click the tile Login on the portal page.
Go to and click Login.
It opens the login page as shown in Fig. 2.1.
Fig. 2.1 Nubus sign-in page#
2.1.1. Choose the right user account#
To sign in, enter the username and password of the corresponding user account.
AdministratorWhen you sign in with the
Administratoraccount, or a user account that’s member of theDomain Adminsuser group, the Management UI shows the management modules for the administration and configuration.
- Other user accounts
When you sign in with another user account that isn’t part of the
Domain Adminsuser group, the Management UI shows the management modules approved for the user. For additional information on allowing further modules, refer to Delegated administration for UMC modules in Univention Corporate Server - Manual for users and administrators [2].
2.2. Sign-out#
To sign out of the Management UI, click Logout in the user menu.
2.3. Single sign-on#
Nubus supports single sign-on through various protocols. The protocol in use depends on your installation and the configuration. After a successful sign-in, the session is valid for all services connected to Nubus. The rules about inactivity also apply for single sign-on. Fig. 2.2 shows the sign-in page for single sign-on.
Fig. 2.2 Nubus sign-in page for single sign-on#
2.3.1. SAML for single sign-on#
SAML is short for Security Assertion Markup Language, an open source standard for exchanging authentication and authorization data between an identity provider and a service provider. Nubus supports SAML as a protocol for single sign-on.
By default, the sign-in page for the portal has single sign-on deactivated in the UCS appliance. The UCS appliance supports single sign-on through SAML through the Keycloak App. Refer to Use Keycloak for login to Univention Portal in Univention Keycloak app manual [3].
For further information about activation and configuration of SAML in the UCS appliance, see SAML for single sign-on in Univention Corporate Server - Manual for users and administrators [2].
Nubus for Kubernetes uses single sign-on by default through the SAML protocol.
2.3.2. OpenID Connect for single sign-on#
OpenID Connect (OIDC) is a protocol that allows single sign-on. OIDC is a more lightweight protocol than SAML. It’s one variant for using single sign-on in the Portal and the Management UI.
For the configuration of OpenID Connect for the UCS appliance, see OpenID Connect for single sign-on in Univention Corporate Server - Manual for users and administrators [2].
OpenID Connect for sign-in to Nubus for Kubernetes isn’t supported.