As announced, we will introduce Keycloak as the default identity provider
(IDP) with UCS 5.2. That raises the question of how long the previous IDP
based on SimpleSAMLphp will be supported in UCS. In this article, I explain
why we have decided to link the maintenance period of SimpleSAMLphp with that
of UCS Release 5.0 and what steps are necessary for existing UCS
installations.
Key points summarized:
UCS has supported web-based single sign-on since the release of UCS 4.1 in
2015 using the SAML implementation "SimpleSAMLphp", which was later extended
to include the OpenID Connect protocol with the optional "Kopano Connect"
application. With the development of UCS 5.0 in
2022, we
have decided to rely on Keycloak as our future web-based single sign-on
software. Keycloak will replace SimpleSAMLphp as the default in UCS with UCS
5.2. Since mid-2023, Keycloak is not only able to replace all
functions of SimpleSAMLphp, but also comes with detailed documentation
for migration.
However, it was unclear how long customers would be able to use SimpleSAMLphp
with support from Univention.
SimpleSAMLphp is an integral part of UCS 5.0 and will continue to be supported
with all future patch level releases of UCS 5.0. Enterprise customers will
continue to receive support for UCS 5.0 for at least one
year after the
release of the next minor release, UCS 5.2. While work on UCS 5.2 is
progressing, we currently anticipate that it will only be released during
2024. Therefore, we will continue to provide security updates and support for
UCS 5.0 to our enterprise customers throughout 2024.
However, the ongoing work on the migration and on UCS 5.2 has also shown us
that supporting both implementations at the same time will not only result in
additional work for Univention and for application vendors, but will also
limit the depth of integration and functionality of Keycloak in UCS. We have
therefore decided to discontinue support for SimpleSAMLphp and the Kopano
Connect based on it in UCS 5.2.
Nothing at first. The installed systems will continue to be supported by
Univention until at least the end of 2024. Regardless of whether an
implementation is used at all, and regardless of which implementation is used
for web single sign-on.
For the upgrade to the next minor release UCS
5.2, however, it will be necessary to replace SimpleSAMLphp and
Kopano Connect with Keycloak in the UCS domain. Mixed environments with
Keycloak and active SimpleSAMLphp are only possible as long as no system has
been upgraded to UCS 5.2. We have documented the necessary steps to migrate to
Keycloak in a migration guide, which also describes how this process can be done unnoticed by
end users.
Our recommendation is therefore:
If you have any questions about the migration, our enterprise customers can
use the support channels, and all users can visit our help
forum.
Der Beitrag SimpleSAMLphp and Kopano Connect Deprecated – Keycloak Will Be
the Only IDP in UCS 5.2 erschien zuerst auf
Univention.