Hi,
we have the latest UCS version “5.2-1 errata82” and keycloak 26.1.4.-ucs2 installed.
We have done the configuration according to the documentation:
https://docs.software-univention.de/keycloak-app/latest/configuration.html#use-keycloak-for-login-to-univention-portal
The portal icon for the UCS login is disabled, only the SSO login is enabled.
For domain admins we want to enforce 2FA and it is configured as described in the documentation:
https://docs.software-univention.de/keycloak-app/latest/configuration.html#use-keycloak-for-login-to-univention-portal
Everything works fine if the Icon “Single Sign On” is used.
But íf the burger on the right side and the “login button” is used, it results in a normal UCS portal login without MFA.
So it means, that the SSO keycloak login is not enforced and the user is able to skip MFA.
Is there something missing in my configuration?
IMHO the burger must also use the SSO URL(keycloak) and the portal login URL must be blocked from thje serverside if keycloak is active.
At the moment this would be a security whole… and makes MFA senseless…