Univention Bugzilla – Bug 55966
Mixture of Keycloak and SimpleSamlPHP after upgrade
Last modified: 2023-04-13 17:17:07 CEST
Customer faced issues after errata updates with the UCS Keycloak app in that way that the join scripts didn't succeed. When having a look onto the problem in a online meeting (no direct access) it appeared that /usr/lib/univention-install/92univention-management-console-web-server.inst is failing because it tries to download the metadata from the wrong location. From the log files: /var/log/univention/config-registry.replog.2.gz:2023-03-29 15:01:16: set ucs/web/overview/entries/admin/keycloak/description/de=Keycloak old:Keycloak /var/log/univention/config-registry.replog.2.gz:2023-03-29 15:01:16: set ucs/web/overview/entries/admin/keycloak/description=Keycloak old:Keycloak /var/log/univention/config-registry.replog.2.gz:2023-03-29 15:01:16: set ucs/web/overview/entries/admin/keycloak/label=Keycloak old:Keycloak /var/log/univention/config-registry.replog.2.gz:2023-03-29 15:01:16: set ucs/web/overview/entries/admin/keycloak/link=https://keycloak.$DOMAIN.com/admin/ old:https://keycloak.$DOMAIN.com/admin/ /var/log/univention/config-registry.replog.2.gz:2023-03-29 15:01:16: set ucs/web/overview/entries/admin/keycloak/icon=/univention/js/dijit/themes/umc/icons/scalable/apps-keycloak_20230201094428.svg old:/univention/js/dijit/themes/umc/icons/scalable/apps-keycloak_20230201094428.svg /var/log/univention/config-registry.replog.2.gz:2023-03-29 15:01:16: set ucs/web/overview/entries/admin/keycloak/link-target=newwindow old:newwindow /var/log/univention/config-registry.replog.2.gz:2023-03-29 15:01:30: set umc/saml/idp-server=https://keycloak.$DOMAIN.com/simplesamlphp/saml2/idp/metadata.php old:[Previously undefined] /var/log/univention/config-registry.replog.2.gz:2023-03-29 15:02:32: unset 'umc/saml/idp-server' old:https://keycloak.$DOMAIN.com/simplesamlphp/saml2/idp/metadata.php /var/log/univention/config-registry.replog.2.gz:2023-03-29 15:03:45: unset 'ucs/web/overview/entries/admin/keycloak/description' old:Keycloak /var/log/univention/config-registry.replog.2.gz:2023-03-29 15:03:45: unset 'ucs/web/overview/entries/admin/keycloak/description/de' old:Keycloak /var/log/univention/config-registry.replog.2.gz:2023-03-29 15:03:45: unset 'ucs/web/overview/entries/admin/keycloak/icon' old:/univention/js/dijit/themes/umc/icons/scalable/apps-keycloak_20230201094428.svg /var/log/univention/config-registry.replog.2.gz:2023-03-29 15:03:45: unset 'ucs/web/overview/entries/admin/keycloak/label' old:Keycloak /var/log/univention/config-registry.replog.2.gz:2023-03-29 15:03:45: unset 'ucs/web/overview/entries/admin/keycloak/link' old:https://keycloak.$DOMAIN.com/admin/ /var/log/univention/config-registry.replog.2.gz:2023-03-29 15:03:45: unset 'ucs/web/overview/entries/admin/keycloak/link-target' old:newwindow /var/log/univention/config-registry.replog.2.gz:2023-03-29 15:04:31: set keycloak/server/sso/fqdn=ucs-sso-ng.osc.$DOMAIN.com old:keycloak.$DOMAIN.com /var/log/univention/config-registry.replog.2.gz:2023-03-29 15:04:38: unset 'appcenter/apps/keycloak/image' old:docker.software-univention.de/keycloak-keycloak:19.0.2-ucs2 /var/log/univention/config-registry.replog.2.gz:2023-03-29 15:04:38: set appcenter/apps/keycloak/image=docker.software-univention.de/keycloak-keycloak:19.0.2-ucs2 old:[Previously undefined] /var/log/univention/config-registry.replog.2.gz:2023-03-29 15:04:42: set appcenter/apps/keycloak/container=f0aa3f20600d5d268127536486d40d4f8effaeceb95d548ad34a1dbbe9568a9b old:e7faacf9edb638794d227a161a0ac75e0f6544c96de4898b9966b9a1678a733b /var/log/univention/config-registry.replog.2.gz:2023-03-29 15:04:53: set appcenter/prudence/docker/keycloak=yes old:[Previously undefined] /var/log/univention/config-registry.replog.2.gz:2023-03-29 15:04:53: unset 'appcenter/prudence/docker/keycloak' old:yes /var/log/univention/config-registry.replog.2.gz:2023-03-29 15:07:19: set ucs/web/overview/entries/admin/keycloak/description/de=Keycloak old:[Previously undefined] /var/log/univention/config-registry.replog.2.gz:2023-03-29 15:07:19: set ucs/web/overview/entries/admin/keycloak/description=Keycloak old:[Previously undefined] /var/log/univention/config-registry.replog.2.gz:2023-03-29 15:07:19: set ucs/web/overview/entries/admin/keycloak/label=Keycloak old:[Previously undefined] /var/log/univention/config-registry.replog.2.gz:2023-03-29 15:07:19: set ucs/web/overview/entries/admin/keycloak/link=https://ucs-sso-ng.osc.$DOMAIN.com/admin/ old:[Previously undefined] /var/log/univention/config-registry.replog.2.gz:2023-03-29 15:07:19: set ucs/web/overview/entries/admin/keycloak/icon=/univention/js/dijit/themes/umc/icons/scalable/apps-keycloak_20230201094428.svg old:[Previously undefined] /var/log/univention/config-registry.replog.2.gz:2023-03-29 15:07:19: set ucs/web/overview/entries/admin/keycloak/link-target=newwindow old:[Previously undefined] /var/log/univention/config-registry.replog.2.gz:2023-03-29 15:08:56: set umc/saml/idp-server=https://keycloak.$DOMAIN.com/simplesamlphp/saml2/idp/metadata.php old:[Previously undefined] /var/log/univention/config-registry.replog.2.gz:2023-03-29 15:09:58: unset 'umc/saml/idp-server' old:https://keycloak.$DOMAIN.com/simplesamlphp/saml2/idp/metadata.php /var/log/univention/config-registry.replog.2.gz:2023-03-29 15:11:08: set ucs/server/sso/fqdn=ucs-sso.osc.$DOMAIN.com old:keycloak.$DOMAIN.com "keycloak.domain.com" is the configured FQDN for the Keycloak app. However the used FQDN is here ucs-sso.osc.$DOMAIN.com with the path "simplesamlphp" appended. When quickly looking at /usr/lib/univention-install/92univention-management-console-web-server.inst this can be spotted: line 92: ucr set ucs/server/sso/fqdn?"ucs-sso.$domainname" line 109: ucr set umc/saml/idp-server="https://${ucs_server_sso_fqdn}/simplesamlphp/saml2/idp/metadata.php" || _cleanup_die Apparently the join script doesn't seem to be ready for keycloak, especially when there are issues with the Keycloak app itself (using different internal/external domains, which is another bug report). This leaves the installation in a somewhat broken situation that appears not to be easily fixable for the customer. In this case the customer needed to reinstall the BDN
Apparently Keycloak and UCS were adapted according to https://docs.software-univention.de/keycloak-app/latest/configuration.html#use-keycloak-for-login-to-ucs-portal But additional changes were made, in the config registry log i can see that a non-default fqdn (ucs-sso-ng) was configured for keycloak, e.g. /var/log/univention/config-registry.replog.2.gz:2023-03-29 15:01:30: set umc/saml/idp-server=https://keycloak.$DOMAIN.com/simplesamlphp/saml2/idp/metadata.php