Hi all,
I’m using the UCS-integrated Keycloak app (successfully configured here Google Workspace SAML now uses SSO Profiles — Keycloak Client ID Setup Needs to Change )
and want to add a custom authenticator plugin — specifically the privacyidea-authenticator JAR file — to support 2FA in login flows. From here: GitHub - privacyidea/keycloak-provider: 🔒 OTP Two Factor Authentication Provider for Keycloak to run with privacyIDEA
The reason is because we migrated from SimpleSAMLphp which was connected to privacyidea, we want to keep users MFA tokens.
My colleague made it work by copying JAR file into the Docker container (running), and running kc.sh build
However this is not permanent solution. I understand that UCS does not support this officially, I am willing to take this under my own responsibility.
What I want is to find a way to make it somehow automated or sort of permanent between UCS upgrades.
I found these docker compose files here with these files
/var/lib/univention-appcenter/apps/keycloak/compose/
docker-compose.yml docker-compose.yml.run docker-compose.yml.template
Tried adding the volume mount for the file something like this:
volumes:
# existing mounts
- /opt/mydir/privacyidea.jar:/opt/keycloak/providers/privacyidea.jar
But then it does not persist.
If I run univention-app configure keycloak then template gets reset, and change from other files also does not get picked up.
If I run univention-app restart keycloak it also does not change anything.
If I could just find a way to make this sort of permanent, I could automate this with ansible, and run whenever it gets broken or after UCS upgrades.
Otherwise I have to do something else with ansible - manualy copy JAR into running container and passing commands to running container.
Please help with advice. thank you.