QA: Is Keycloak Required for the Upgrade to UCS 5.2?

Knowledge Base Community
, , , ,
1

Question:

Is Keycloak required for the upgrade to UCS 5.2, and does the migration from SimpleSAMLphp have to be performed?

Answer:

Starting with UCS 5.2, Keycloak becomes the default single sign-on (SSO) identity provider, replacing SimpleSAMLphp. During the upgrade to UCS 5.2, all packages related to SimpleSAMLphp and univention-saml are removed.
For details, see the related article:
:link: Problem: UCS 5.2 – All PHP packages are removed since the upgrade

Important Note

If your environment does not use Single Sign-On (SSO), Keycloak does not need to be installed, configured, or migrated in order to successfully perform the upgrade to UCS 5.2.

In other words:

  • If SSO is used: Migration from SimpleSAMLphp (and OpenID Connect Provider, if applicable) to Keycloak is mandatory before upgrading.
  • If SSO is not used: You don’t have to install Keycloak in the enviornment.

Official Reference: Keycloak Migration Guide

:link: Keycloak Migration Guide

Excerpt from the documentation:

Starting with UCS 5.2 the Keycloak app replaces the apps SimpleSAMLphp and OpenID Connect Provider as the default identity providers in UCS. The reason for this change is that Keycloak has many advantages in terms of features, configurability, and maintainability over the alternatives, for example, Keycloak provides OIDC and SAML endpoints in one component.

Warning: Migration from SimpleSAMLphp to Keycloak is mandatory before upgrading from UCS 5.0 to UCS 5.2.
If you use single sign-on for authentication in your UCS domain, migrate all services to use Keycloak as IdP and complete the migration before the upgrade.
If you are certain that SSO isn’t used, you can skip the migration and proceed with the UCS 5.2 update preparation steps.

Pre-Upgrade Checks

During the UCS 5.2 upgrade, a pre-update check script is automatically executed:
:link: UCS 5.2 Release Notes – Script to check for known update issues

This script includes a Keycloak migration check, which only serves as a preparation step for potential Keycloak installation. It does not enforce Keycloak migration.

However, you must still follow the preparation steps described here:
:link: Prepare for the update to UCS 5.2

Summary

Scenario Keycloak Migration Required? Notes
SSO in use (SimpleSAMLphp, OIDC) :white_check_mark: Yes Must migrate to Keycloak before upgrading
No SSO in use :x: No Skip migration, follow pre-update preparation steps only