Comment 2 Nico Gulden 2024-02-15 11:41:39 CET

* What is OIDC in UMC?

  OpenID Connect (OIDC) for UMC offers single sign-on to UMC through Keycloak as alternative to SAML. OIDC is a more lightweight protocol than SAML.

  *That's a quite technical explanation. Can we come up with a less technical benefit, why the yet unsupported OIDC may be a good choice over the supported SAML integration?*

* What can I use it for as an admin?

  To the administrator there isn't much difference between SAML and OIDC. It's of more importance to software developers. There is a session within Keycloak and for the session it isn't important whether it uses SAML or OIDC.

* What requirements do I need to fulfill to use it?

  UCS 5.0-6 latest errata (https://errata.software-univention.de/#/?erratum=5.0x947) and Keycloak app installed.
  
* How do I activate it?

  ```
  univention-app install keycloak
  ucr set umc/web/oidc/enabled=true
  univention-run-join-scripts --force --run-scripts 92univention-management-console-web-server.inst
  ```

* How do I deactivate it?

  ```
  ucr unset umc/web/oidc/enabled
  ```

  ucr unset aller Variablen, die durch ucr search --brief --key ^umc/oidc und ucr search --brief --key ^ldap/server/sasl/oauthbearer gefunden werden.

  ```
  rm -f /etc/umc-oidc.secret
  systemctl restart slapd.service univention-management-console
  ```

* How can I verify, if it works?

  firefox https://FQDN/univention/oidc/ , dann einloggen, dann in UMC ein UDM Module wie Benutzer öffnen und darin eine Suche machen.

* Where can I look, if I assume problems?

  `/var/log/univention/management-console.server.log` and `journalctl -u slapd.service`

* What limitations are known?

  No auth-mode can be set in the portal. You would have to customize login links of portal tiles yourself so that they point to `/univention/oidc/` instead to `/univention/login/` or `/univention/saml/`.

* Support

  The feature isn't covered by Univention support service.

Comment 3 Erik Damrose 2024-02-15 12:54:38 CET

(In reply to Nico Gulden from comment #2)
> * What limitations are known?
> 
>   No auth-mode can be set in the portal. You would have to customize login
> links of portal tiles yourself so that they point to `/univention/oidc/`
> instead to `/univention/login/` or `/univention/saml/`.

Is there any change to the behavior of UCR portal/auth-mode, does it support OIDC? Currently, 'ucs' and 'saml' are the only documented valid values

Comment 4 Florian Best 2024-02-15 13:32:05 CET

(In reply to Erik Damrose from comment #3)
> (In reply to Nico Gulden from comment #2)
> > * What limitations are known?
> > 
> >   No auth-mode can be set in the portal. You would have to customize login
> > links of portal tiles yourself so that they point to `/univention/oidc/`
> > instead to `/univention/login/` or `/univention/saml/`.
> 
> Is there any change to the behavior of UCR portal/auth-mode, does it support
> OIDC? Currently, 'ucs' and 'saml' are the only documented valid values

The Portal works with OIDC with any authMode except for the login button, which points to different links. That's the only thing the authMode is used for.

We can easily add it in the product, it's 2 additional lines and then full support for portal/auth-mode=oidc exists in the portal:

diff --git management/univention-portal/frontend/src/jsHelper/login.ts management/univention-portal/frontend/src/jsHelper/login.ts
index d766b4f971..0f10ad7b74 100644
--- management/univention-portal/frontend/src/jsHelper/login.ts
+++ management/univention-portal/frontend/src/jsHelper/login.ts
@@ -34,6 +34,8 @@ import { User } from '@/store/modules/user/user.models';
 function login(user: User): void {
   if (user.authMode === 'saml') {
     window.location.href = `/univention/saml/?location=${window.location.pathname}`;
+  } else if (user.authMode === 'oidc') {
+    window.location.href = `/univention/oidc/?location=${window.location.pathname}`;
   } else {
     window.location.href = `/univention/login/?location=${window.location.pathname}`;
   }


Maybe it makes sense to just do this instead of document the limitation?!

Comment 5 Arvid Requate 2024-02-15 18:41:41 CET

> There is a session within Keycloak and for the session it isn't important whether it uses SAML or OIDC.

That's the least interesting aspect of single sign on, it's an implementation detail of Keycloak.
More interesting are protocol behaviors like session refresh, SLO (frontend, backend) etc. But also less
easy to explain. I'd say it's beyond the scope of our manual to discuss the pros and cons.

> How do I deactivate it?

If you remove /etc/umc-oidc.secret then we should probably also remove the OAuth2/OIDC client in Keycloak.

> * Where can I look, if I assume problems?

IIRC PAM and slapd SASL stuff gets logged in auth.log and maybe syslog. Not sure if journalctl covers both.

IMHO logout behavior is an interesting point to document.

Maybe also how to handle Keycloak signing key rotation. I took care that the PAM+SASL plugin can handle key
selection via `kid` in assertions, but still the jwks needs to be downloaded again in case somethig
is changed about the signing keys in Keycloak.

Comment 6 Nico Gulden 2024-02-16 11:49:41 CET

I missed the discussion going on here. I already merged the changes, see

13f281641b | docs(manual): Rework UMC login section
ca35139985 | doc(manual): Add single sign-on to UMC through OIDC
10a897cf3c | doc(manual): Add German translation

If you see a need to update the documentation content, please clone the bug.

Comment 7 Nico Gulden 2024-02-16 11:59:58 CET

Content is published to 

EN: https://docs.software-univention.de/manual/5.0/en/central-management-umc/login.html
DE: https://docs.software-univention.de/manual/5.0/de/central-management-umc/login.html

Comment 8 Florian Best 2024-02-16 12:02:02 CET

(In reply to Arvid Requate from comment #5)
> If you remove /etc/umc-oidc.secret then we should probably also remove the
> OAuth2/OIDC client in Keycloak.

I suggested it at the MR, so that it now part of it.