[SOLVED] SSO for UCS portals

dzidek23 · January 31, 2025, 11:53am

So it seems I’ve enabled Keycloak and I can use it to sign in to UCS portal and services like nextcloud.

However, something annoying is happening.

server1 - UCS domain controller
server2 - UCS backup dc

If I visit https://server1.domain/univention/portal/#/ and sign in, I’ll automatically sign it to nextcloud and Keycloak management, same if I log in to the other server visiting https://server2.domain/univention/portal/#/

Thing is, I need to sign in, with a username and password, to the other server. Why? Why doesn’t it happen with SSO just like for nextcloud or Keycloak?

Could this be cause by saml/idp/entityID set to https://ucs-sso.domain/simplesamlphp/saml2/idp/metadata.php?

dzidek23 · February 12, 2025, 9:49am

Ok, I think I got it…

UCR has this variable portal/auth-modeset with ucs as default. Change it to saml and your portal will use Keycloak and SSO.

This however is not mentioned in Keycloak migration, are there any downsides for having portal behind SSO?

osfal · February 12, 2025, 1:45pm

I think the normal login is still available under https://server1.domain/univention/login/

jlk · February 12, 2025, 2:43pm

Moin,

there should be no downsides, instead I encourage you to switch to SSO wherever possible. The whole topic is documented here if you want to read into this: 4.2. Login — Univention Corporate Server - Manual for users and administrators

Regards
Jan-Luca