Q&A: Who is the ucs-sso user

Question:

Who is the ucs-sso user?
What this user is used for?
Which password is set?
Can the user ‘/bin/bash’ as login-shell be removed or replaced by ‘/usr/sbin/nologin’?

Answer:

The ucs-sso user is a system user account. He is needed for saml per Kerberos, so that the SAML Identity Provider can use kerberos. The user gets a random long password which is located in /etc/simplesamlphp/ucs-sso-kerberos.secret. This is then used to create a Kerberos keytab in /etc/simplesamlphp.keytab.
Since the account will probably never log in interactively, you can change the loginshell.