Hi all,
We’ve enabled Keycloak SAML SSO for UMC and MFA works when users go through the portal. However, direct access to /
univention/management/ still ends up at /univention/login (username/password).
From a network trace, UMC first does a passive SAML check via /univention/saml/iframe/, Keycloak returns NoPassive,
and then UMC falls back to /univention/login. This seems expected for IsPassive=true, but it means users can still
bypass Keycloak/MFA with the local login.
Questions:
- Is there an official way (UCR variable?) to force interactive SAML for /univention/management and /univention/
login, instead of falling back? - Is the intended approach to add an Apache redirect for browser traffic to /univention/saml/?location=…?
- Is there a supported way to disable the password login UI while keeping /univention/login working for API/service-
to-service auth?
Our current UCR values:
- umc/web/sso/enabled=true
- umc/saml/idp-server=https://ucs-sso-ng./realms/ucs/protocol/saml/descriptor
- umc/saml/sp-server=
Any guidance or best practices would be appreciated.
Thank you & Best Regards