Hello,
I noticed that when navigating directly to the /univention/management web portal, then login still goes directly through UCS, instead of keycloak, is this intended, and can this be configured somewhere? we have configured MFA for admins, and would like to only allow admin login with MFA
Thank you & Best
for anyone interested, I found the issue, the iframe didnt load properly, and therefore the login fell back to /univention/login
I had to set
ucr set keycloak/csp/frame-ancestors="https://ucs.ourdomain.com https://*.ucs.ourdomain.com
restarted apache2 and then it worked and loaded properly
the legacy login still lives at /univention/login and /univention/auth, is there any way how we can block users from logging in without keycloak? I guess some apache level redirect or so could work?