HowTo migrate OX sso to Keycloak

Knowledge Base Community
, ,
1

Howto migrate already sso enabled open-xchange to keyclaok.#

1. Creating a new clilent in keycloak

Visit your graphical Admin-GUI for that:

RootURL https://webmail.example.org/ (adjust accordingly)
Home URL: https://webmail.example.org/appsuite/
Valid redirect URIs: https://webmail.example.org/appsuite/api/oidc/auth
Web Origins: “*”
“Capability Config”:
– Client Authentication: On
– Authorization: On (not sure if needed))
– enable “Standard Flow” and “Direct access grants”
Logout Settings:
– Front Channel logout: Off
– Backchannel logout session required: on
– Backchannel logout revoke offline sessions: on
— Back-Channel Abmelde-URL https://ucs-ox.schein.ox/
After saving the client get the “Client Secret” from tha “Passwords” tab.

2. Steps for OX:

Customize IMAP login for the inboxes. (If switched to ucs-sso, probably already set)

p="$(cat /etc/dovecot/master-users | sed -e 's|.*{PLAIN}||;s|:.*||')"

echo -n "$p" > /etc/dovecot-master.secret
chmod 600 /etc/dovecot-master.secret

ucr set ox/cfg/mailfilter.properties/com.openexchange.mail.filter.masterPassword="@&@/etc/dovecot-master.secret@&@" \
   ox/cfg/mail.properties/com.openexchange.mail.masterPassword="@&@/etc/dovecot-master.secret@&@"

ucr set ox/cfg/mailfilter.properties/com.openexchange.mail.filter.loginType='global' \
ox/cfg/mailfilter.properties/com.openexchange.mail.filter.passwordSource='global' \
ox/cfg/mail.properties/com.openexchange.mail.mailServerSource='global' \
ox/cfg/mail.properties/com.openexchange.mail.passwordSource='global' \
ox/cfg/sessiond.properties/com.openexchange.sessiond.autologin='false'

cat <<_EOT_ACL_ >>/etc/dovecot/conf.d/91-acl_user.conf
plugin {
 acl_user = %u
}
_EOT_ACL_

Re-starting services

Dovecot and OX have to be re-started now. The commands shouldn’t run long; the OX re-start in the background though can take some time, depending on the system.

/etc/init.d/dovecot restart

Adjusting /opt/open-xchange/etc/as-config.yml

default:
host: all
oidcLogin: true

Set variables for the configuration → The client must first be created in Keycloak!

To get needed information for the following configuration you can visit this site
curl https://ucs-sso-ng.example.org/realms/ucs/.well-known/openid-configuration

Issuer="https://ucs-sso-ng.example.org/realms/ucs"
clientId="openxchange". # Name des Clients in der Keycloak konfig
clientSecret="************************************" # use the von generated by Keycloak
userInfoEndpoint="https://ucs-sso-ng.example.org/realms/ucs/protocol/openid-connect/userinfo"
authEndpoint="https://ucs-sso-ng.example.org/realms/ucs/protocol/openid-connect/auth"
tokenEndpoint="https://ucs-sso-ng.example.org/realms/ucs/protocol/openid-connect/token"
jwkSetEndpoint="https://ucs-sso-ng.example.org/realms/ucs/protocol/openid-connect/certs"

These endpoints can be fetched from Keycloak:

redirectURI=https://ucs-ox.schein.ox/appsuite/api/oidc/auth
RedirectURILogout="https://ucs-ox.schein.ox/"
RedirectURIPostSSOLogout="https://ucs-ox.schein.ox/"

Set the ucr variables for the setting in OX

If not yet available
touch /opt/open-xchange/etc/openid.properties

set the ucr variables for ox configuration:

ucr set ox/cfg/authplugin.properties/com.openexchange.authentication.ucs.searchFilter='(&(objectClass=oxUserObject)(|(uid=%s)(mailPrimaryAddress=%s)))' ox/cfg/sessiond.properties/com.openexchange.sessiond.autologin=false ox/cfg/openid.properties/com.openexchange.oidc.enabled=true  ox/cfg/openid.properties/com.openexchange.oidc.ucs.enabled=true ox/cfg/openid.properties/com.openexchange.oidc.startDefaultBackend=false  ox/cfg/openid.properties/com.openexchange.oidc.clientId="$client_id"    ox/cfg/openid.properties/com.openexchange.oidc.clientSecret="$client_secret"    ox/cfg/openid.properties/com.openexchange.oidc.opIssuer="$Issuer"    ox/cfg/openid.properties/com.openexchange.oidc.ucs.userInfoEndpoint="$userInfoEndpoint"    ox/cfg/openid.properties/com.openexchange.oidc.opAuthorizationEndpoint="$authEndpoint"    ox/cfg/openid.properties/com.openexchange.oidc.opTokenEndpoint="$tokenEndpoint"    ox/cfg/openid.properties/com.openexchange.oidc.opJwkSetEndpoint="$jwkSetEndpoint"    ox/cfg/openid.properties/com.openexchange.oidc.jwsAlgorithm=RS256    ox/cfg/openid.properties/com.openexchange.oidc.scope="email;openid;profile;offline_access"    ox/cfg/openid.properties/com.openexchange.oidc.userLookupClaim=email    ox/cfg/openid.properties/com.openexchange.oidc.rpRedirectURIAuth="$redirectURI"  ox/cfg/openid.properties/com.openexchange.oidc.rpRedirectURILogout="$RedirectURILogout"  ox/cfg/openid.properties/com.openexchange.oidc.rpRedirectURIPostSSOLogout="$RedirectURIPostSSOLogout"

You have to doublecheck the created ucr variabeles. The clientID and secret may not be adopted.

If everything looks fine finally open-xchange has to be restarted to apply the new configuration
systemctl restart open-xchange.service

3. OX-Connector:

This may not necessary if ox was already enabled for sso

univention-app configure ox-connector --set OX_IMAP_LOGIN='{}*dovecotadmin'

Kudos to Michael Ulrich for the provided script:
write-openid-config-to-ox.sh (3,6 KB)

see also:

https://oxpedia.org/wiki/index.php?title=AppSuite:UCS_OIDC_SSO_with_OX_App_Suite