First Last Prev Next    This bug is not in your last search results.
Bug 55966 - Mixture of Keycloak and SimpleSamlPHP after upgrade
Mixture of Keycloak and SimpleSamlPHP after upgrade
Status: NEW
Product: UCS
Classification: Unclassified
Component: Keycloak
UCS 5.0
Other Mac OS X 10.1
: P5 normal (vote)
: ---
Assigned To: UCS maintainers
UCS maintainers
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2023-04-13 15:10 CEST by Ingo Jürgensmann
Modified: 2023-04-13 17:17 CEST (History)
1 user (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?: 1: Will affect a very few installed domains
How will those affected feel about the bug?: 5: Blocking further progress on the daily work
User Pain: 0.143
Enterprise Customer affected?: Yes
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Ingo Jürgensmann univentionstaff 2023-04-13 15:10:04 CEST 
Customer faced issues after errata updates with the UCS Keycloak app in that way that the join scripts didn't succeed. 

When having a look onto the problem in a online meeting (no direct access) it appeared that /usr/lib/univention-install/92univention-management-console-web-server.inst is failing because it tries to download the metadata from the wrong location. 

From the log files: 

/var/log/univention/config-registry.replog.2.gz:2023-03-29 15:01:16: set ucs/web/overview/entries/admin/keycloak/description/de=Keycloak old:Keycloak
/var/log/univention/config-registry.replog.2.gz:2023-03-29 15:01:16: set ucs/web/overview/entries/admin/keycloak/description=Keycloak old:Keycloak
/var/log/univention/config-registry.replog.2.gz:2023-03-29 15:01:16: set ucs/web/overview/entries/admin/keycloak/label=Keycloak old:Keycloak
/var/log/univention/config-registry.replog.2.gz:2023-03-29 15:01:16: set ucs/web/overview/entries/admin/keycloak/link=https://keycloak.$DOMAIN.com/admin/ old:https://keycloak.$DOMAIN.com/admin/
/var/log/univention/config-registry.replog.2.gz:2023-03-29 15:01:16: set ucs/web/overview/entries/admin/keycloak/icon=/univention/js/dijit/themes/umc/icons/scalable/apps-keycloak_20230201094428.svg old:/univention/js/dijit/themes/umc/icons/scalable/apps-keycloak_20230201094428.svg
/var/log/univention/config-registry.replog.2.gz:2023-03-29 15:01:16: set ucs/web/overview/entries/admin/keycloak/link-target=newwindow old:newwindow
/var/log/univention/config-registry.replog.2.gz:2023-03-29 15:01:30: set umc/saml/idp-server=https://keycloak.$DOMAIN.com/simplesamlphp/saml2/idp/metadata.php old:[Previously undefined]
/var/log/univention/config-registry.replog.2.gz:2023-03-29 15:02:32: unset 'umc/saml/idp-server' old:https://keycloak.$DOMAIN.com/simplesamlphp/saml2/idp/metadata.php
/var/log/univention/config-registry.replog.2.gz:2023-03-29 15:03:45: unset 'ucs/web/overview/entries/admin/keycloak/description' old:Keycloak
/var/log/univention/config-registry.replog.2.gz:2023-03-29 15:03:45: unset 'ucs/web/overview/entries/admin/keycloak/description/de' old:Keycloak
/var/log/univention/config-registry.replog.2.gz:2023-03-29 15:03:45: unset 'ucs/web/overview/entries/admin/keycloak/icon' old:/univention/js/dijit/themes/umc/icons/scalable/apps-keycloak_20230201094428.svg
/var/log/univention/config-registry.replog.2.gz:2023-03-29 15:03:45: unset 'ucs/web/overview/entries/admin/keycloak/label' old:Keycloak
/var/log/univention/config-registry.replog.2.gz:2023-03-29 15:03:45: unset 'ucs/web/overview/entries/admin/keycloak/link' old:https://keycloak.$DOMAIN.com/admin/
/var/log/univention/config-registry.replog.2.gz:2023-03-29 15:03:45: unset 'ucs/web/overview/entries/admin/keycloak/link-target' old:newwindow
/var/log/univention/config-registry.replog.2.gz:2023-03-29 15:04:31: set keycloak/server/sso/fqdn=ucs-sso-ng.osc.$DOMAIN.com old:keycloak.$DOMAIN.com
/var/log/univention/config-registry.replog.2.gz:2023-03-29 15:04:38: unset 'appcenter/apps/keycloak/image' old:docker.software-univention.de/keycloak-keycloak:19.0.2-ucs2
/var/log/univention/config-registry.replog.2.gz:2023-03-29 15:04:38: set appcenter/apps/keycloak/image=docker.software-univention.de/keycloak-keycloak:19.0.2-ucs2 old:[Previously undefined]
/var/log/univention/config-registry.replog.2.gz:2023-03-29 15:04:42: set appcenter/apps/keycloak/container=f0aa3f20600d5d268127536486d40d4f8effaeceb95d548ad34a1dbbe9568a9b old:e7faacf9edb638794d227a161a0ac75e0f6544c96de4898b9966b9a1678a733b
/var/log/univention/config-registry.replog.2.gz:2023-03-29 15:04:53: set appcenter/prudence/docker/keycloak=yes old:[Previously undefined]
/var/log/univention/config-registry.replog.2.gz:2023-03-29 15:04:53: unset 'appcenter/prudence/docker/keycloak' old:yes
/var/log/univention/config-registry.replog.2.gz:2023-03-29 15:07:19: set ucs/web/overview/entries/admin/keycloak/description/de=Keycloak old:[Previously undefined]
/var/log/univention/config-registry.replog.2.gz:2023-03-29 15:07:19: set ucs/web/overview/entries/admin/keycloak/description=Keycloak old:[Previously undefined]
/var/log/univention/config-registry.replog.2.gz:2023-03-29 15:07:19: set ucs/web/overview/entries/admin/keycloak/label=Keycloak old:[Previously undefined]
/var/log/univention/config-registry.replog.2.gz:2023-03-29 15:07:19: set ucs/web/overview/entries/admin/keycloak/link=https://ucs-sso-ng.osc.$DOMAIN.com/admin/ old:[Previously undefined]
/var/log/univention/config-registry.replog.2.gz:2023-03-29 15:07:19: set ucs/web/overview/entries/admin/keycloak/icon=/univention/js/dijit/themes/umc/icons/scalable/apps-keycloak_20230201094428.svg old:[Previously undefined]
/var/log/univention/config-registry.replog.2.gz:2023-03-29 15:07:19: set ucs/web/overview/entries/admin/keycloak/link-target=newwindow old:[Previously undefined]
/var/log/univention/config-registry.replog.2.gz:2023-03-29 15:08:56: set umc/saml/idp-server=https://keycloak.$DOMAIN.com/simplesamlphp/saml2/idp/metadata.php old:[Previously undefined]
/var/log/univention/config-registry.replog.2.gz:2023-03-29 15:09:58: unset 'umc/saml/idp-server' old:https://keycloak.$DOMAIN.com/simplesamlphp/saml2/idp/metadata.php
/var/log/univention/config-registry.replog.2.gz:2023-03-29 15:11:08: set ucs/server/sso/fqdn=ucs-sso.osc.$DOMAIN.com old:keycloak.$DOMAIN.com

"keycloak.domain.com" is the configured FQDN for the Keycloak app. However the used FQDN is here ucs-sso.osc.$DOMAIN.com with the path "simplesamlphp" appended. 

When quickly looking at /usr/lib/univention-install/92univention-management-console-web-server.inst this can be spotted: 

line 92:
ucr set ucs/server/sso/fqdn?"ucs-sso.$domainname"

line 109:
         ucr set umc/saml/idp-server="https://${ucs_server_sso_fqdn}/simplesamlphp/saml2/idp/metadata.php" || _cleanup_die

Apparently the join script doesn't seem to be ready for keycloak, especially when there are issues with the Keycloak app itself (using different internal/external domains, which is another bug report). 

This leaves the installation in a somewhat broken situation that appears not to be easily fixable for the customer. In this case the customer needed to reinstall the BDN
Comment 1 Erik Damrose univentionstaff 2023-04-13 17:17:07 CEST 
Apparently Keycloak and UCS were adapted according to
https://docs.software-univention.de/keycloak-app/latest/configuration.html#use-keycloak-for-login-to-ucs-portal

But additional changes were made, in the config registry log i can see that a non-default fqdn (ucs-sso-ng) was configured for keycloak, e.g.

/var/log/univention/config-registry.replog.2.gz:2023-03-29 15:01:30: set umc/saml/idp-server=https://keycloak.$DOMAIN.com/simplesamlphp/saml2/idp/metadata.php
First Last Prev Next    This bug is not in your last search results.