Univention Bugzilla – Bug 55967
Custom domains are not (yet) supported in Keycloak App
Last modified: 2023-06-20 10:19:17 CEST
Customer installed Keycloak App and configured the settings to have an external domain to expose Keycloak from Internet via a haproxy setup. The configuration dialogue presents the admin a text field to enter the FQDN for keycloak: "Defines the fqdn of the identity provider of this UCS domain." This customer then assumes that a FQDN other than ucs-sso-ng.{domainname} can be used. But the FQDN is somewhat hardcoded in /usr/sbin/univention-keycloak (searching for domainname): 672 ldap_base = ucr.get("ldap/base") 673 domainname = ucr.get("domainname") 674 host_fqdn = "%s.%s" % (ucr.get("hostname"), ucr.get("domainname")) 675 keycloak_fqdn = ucr.get("keycloak/server/sso/fqdn", f"ucs-sso-ng.{domainname}") 676 no_ucr_available = not (ucr and ldap_base) ... 737 init_parser.add_argument("--domainname", required=no_ucr_available, default=domainname) ... 1340 data = {"loginTitleHtml": f"Login at {opt.domainname}", "loginTitle": "Univention Corporate Server Single-Sign On"} 1343 # german 1345 data = {"loginTitleHtml": f"Anmelden bei {opt.domainname}", "loginTitle": "Univention Corporate Server Single-Sign On"} Many customers are using internal domains for setting up UCS and external domains for Internet facing purposes, but as the $domainname is hardcoded, the use of external domains will not work and give many other issues. This has been discussed partly internally with development already, but this bug is intended for keeping track of the issue. Development signalled that this might be resolved in Q2/23.
Sorry, we did not keep track of the issue in this bug. We fixed it in many small steps with App updates and improvements in univention-keycloak. I hope it works for you now.