Keycloak compatibility needed for UCS 5.2

[blizzz]

As received from Univention:

Currently, the app uses an SSO configuration which configures only SimpleSAMLPHP. So the App will not work on UCS 5.2, as there is only Keycloak available.

You should change to the "univention-keycloak" script which wraps everything needed to configure the IDP. Examples are available in the documentation:

https://docs.software-univention.de/keycloak-app/latest/configuration.html#keycloak-as-openid-connect-provider

You should not try to migrate existing deployments from SimpleSAMLPHP to Keycloak. We address this topic in the Release Notes of UCS 5.2, it is a pre-requisite of an upgrade to UCS 5.2 to migrate all services.

We will block the Nextcloud App for UCS 5.2 until the change has been done, as I assume that the current App will throw errors on UCS 5.2.

[blizzz]

And SimpleSAMLPHP should be kept as long as 5.0 is supported:

as SimpleSAMLPHP is still the default in UCS 5.0, I'd suggest to keep it as long as you provide App Updates for UCS 5.0.

We [author's note: Univention] will maintain UCS 5.0 for at least one year after the release of 5.2, which means UCS 5.0 will be maintained until ~February 2026. You might be able to deprecate the Nextcloud App for UCs 5.0 earlier, depends on how fast customers migrate to UCS 5.2.

[ITarrant]

Any idea when keycloak will be supported?

[blizzz]

No ETA, but we are aware it is blocking Nextcloud on UCS 5.2

[spaceone]

Is the SAML replacement the only blocking thing?
Then it should be just a few lines of code in the inst file in the function nextcloud_configure_saml to use univention-keycloak commands instead of udm. The old logic can be kept with a check for ucr shell version/version comparing $version_version lower than 5.0 (e.g. with dpkg --compare-versions) and otherwise do the stuff with univention-keycloak.

What priority does this issue have?

[blizzz]

Is the SAML replacement the only blocking thing?

Yes

Then it should be just a few lines of code in the inst file in the function nextcloud_configure_saml to use univention-keycloak commands instead of udm.

That's what I think. When I hoped for a quick win, I actually had troubles upgrading the clean 5.0 instance VM to 5.2.

The old logic can be kept with a check for ucr shell version/version comparing $version_version lower than 5.0 (e.g. with dpkg --compare-versions) and otherwise do the stuff with univention-keycloak.

✔

What priority does this issue have?

Priorities are a battlefield 🙊

[spaceone]

If you install keycloak on a UCS 5.0 system, you can already use the univention-keycloak command. I guess they are still very compatible. If that helps in the development of the new inst-functionality.
Otherwise a new UCS 5.2 installation might help as well - no need to upgrade a UCS 5.0 system.