Univention Bugzilla – Bug 57062
Describe how to use OpenID Connect to sign in to UMC
Last modified: 2024-02-16 12:02:02 CET
Bug #49006 introduced OpenID Connect authentication for UMC. The feature is deactivated by default. Activating it, isn't covered by support yet. The functionality doesn't have any documentation. This issue is about adding the documentation to the UCS manual.
* What is OIDC in UMC? OpenID Connect (OIDC) for UMC offers single sign-on to UMC through Keycloak as alternative to SAML. OIDC is a more lightweight protocol than SAML. *That's a quite technical explanation. Can we come up with a less technical benefit, why the yet unsupported OIDC may be a good choice over the supported SAML integration?* * What can I use it for as an admin? To the administrator there isn't much difference between SAML and OIDC. It's of more importance to software developers. There is a session within Keycloak and for the session it isn't important whether it uses SAML or OIDC. * What requirements do I need to fulfill to use it? UCS 5.0-6 latest errata (https://errata.software-univention.de/#/?erratum=5.0x947) and Keycloak app installed. * How do I activate it? ``` univention-app install keycloak ucr set umc/web/oidc/enabled=true univention-run-join-scripts --force --run-scripts 92univention-management-console-web-server.inst ``` * How do I deactivate it? ``` ucr unset umc/web/oidc/enabled ``` ucr unset aller Variablen, die durch ucr search --brief --key ^umc/oidc und ucr search --brief --key ^ldap/server/sasl/oauthbearer gefunden werden. ``` rm -f /etc/umc-oidc.secret systemctl restart slapd.service univention-management-console ``` * How can I verify, if it works? firefox https://FQDN/univention/oidc/ , dann einloggen, dann in UMC ein UDM Module wie Benutzer öffnen und darin eine Suche machen. * Where can I look, if I assume problems? `/var/log/univention/management-console.server.log` and `journalctl -u slapd.service` * What limitations are known? No auth-mode can be set in the portal. You would have to customize login links of portal tiles yourself so that they point to `/univention/oidc/` instead to `/univention/login/` or `/univention/saml/`. * Support The feature isn't covered by Univention support service.
(In reply to Nico Gulden from comment #2) > * What limitations are known? > > No auth-mode can be set in the portal. You would have to customize login > links of portal tiles yourself so that they point to `/univention/oidc/` > instead to `/univention/login/` or `/univention/saml/`. Is there any change to the behavior of UCR portal/auth-mode, does it support OIDC? Currently, 'ucs' and 'saml' are the only documented valid values
(In reply to Erik Damrose from comment #3) > (In reply to Nico Gulden from comment #2) > > * What limitations are known? > > > > No auth-mode can be set in the portal. You would have to customize login > > links of portal tiles yourself so that they point to `/univention/oidc/` > > instead to `/univention/login/` or `/univention/saml/`. > > Is there any change to the behavior of UCR portal/auth-mode, does it support > OIDC? Currently, 'ucs' and 'saml' are the only documented valid values The Portal works with OIDC with any authMode except for the login button, which points to different links. That's the only thing the authMode is used for. We can easily add it in the product, it's 2 additional lines and then full support for portal/auth-mode=oidc exists in the portal: diff --git management/univention-portal/frontend/src/jsHelper/login.ts management/univention-portal/frontend/src/jsHelper/login.ts index d766b4f971..0f10ad7b74 100644 --- management/univention-portal/frontend/src/jsHelper/login.ts +++ management/univention-portal/frontend/src/jsHelper/login.ts @@ -34,6 +34,8 @@ import { User } from '@/store/modules/user/user.models'; function login(user: User): void { if (user.authMode === 'saml') { window.location.href = `/univention/saml/?location=${window.location.pathname}`; + } else if (user.authMode === 'oidc') { + window.location.href = `/univention/oidc/?location=${window.location.pathname}`; } else { window.location.href = `/univention/login/?location=${window.location.pathname}`; } Maybe it makes sense to just do this instead of document the limitation?!
> There is a session within Keycloak and for the session it isn't important whether it uses SAML or OIDC. That's the least interesting aspect of single sign on, it's an implementation detail of Keycloak. More interesting are protocol behaviors like session refresh, SLO (frontend, backend) etc. But also less easy to explain. I'd say it's beyond the scope of our manual to discuss the pros and cons. > How do I deactivate it? If you remove /etc/umc-oidc.secret then we should probably also remove the OAuth2/OIDC client in Keycloak. > * Where can I look, if I assume problems? IIRC PAM and slapd SASL stuff gets logged in auth.log and maybe syslog. Not sure if journalctl covers both. IMHO logout behavior is an interesting point to document. Maybe also how to handle Keycloak signing key rotation. I took care that the PAM+SASL plugin can handle key selection via `kid` in assertions, but still the jwks needs to be downloaded again in case somethig is changed about the signing keys in Keycloak.
I missed the discussion going on here. I already merged the changes, see 13f281641b | docs(manual): Rework UMC login section ca35139985 | doc(manual): Add single sign-on to UMC through OIDC 10a897cf3c | doc(manual): Add German translation If you see a need to update the documentation content, please clone the bug.
Content is published to EN: https://docs.software-univention.de/manual/5.0/en/central-management-umc/login.html DE: https://docs.software-univention.de/manual/5.0/de/central-management-umc/login.html
(In reply to Arvid Requate from comment #5) > If you remove /etc/umc-oidc.secret then we should probably also remove the > OAuth2/OIDC client in Keycloak. I suggested it at the MR, so that it now part of it.