SimpleSAMLphp and Kopano Konnect Deprecated – Keycloak Will Be the Only IDP in UCS 5.2

As announced, we will introduce Keycloak as the default identity provider
(IDP) with UCS 5.2. That raises the question of how long the previous IDP
based on SimpleSAMLphp will be supported in UCS. In this article, I explain
why we have decided to link the maintenance period of SimpleSAMLphp with that
of UCS Release 5.0 and what steps are necessary for existing UCS
installations.

Overview

Key points summarized:

• Support for the "old" IDP implementation based on SimpleSAMLphp will be discontinued
• Existing UCS installations can already switch to Keycloak as IDP today and would thus be prepared for the upcoming changes early on
• With UCS 5.2 only Keycloak will be available as IDP
• UCS 5.0 will continue to support the existing IDP (SimpleSAMLphp/Kopano Konnect) from Univention until at least the end of 2024

What Happened So Far

UCS has supported web-based single sign-on since the release of UCS 4.1 in
2015 using the SAML implementation "SimpleSAMLphp", which was later extended
to include the OpenID Connect protocol with the optional "Kopano Konnect"
application. With the development of UCS 5.0 in
2022, we
have decided to rely on Keycloak as our future web-based single sign-on
software. Keycloak will replace SimpleSAMLphp as the default in UCS with UCS
5.2. Since mid-2023, Keycloak is not only able to replace all
functions of SimpleSAMLphp, but also comes with detailed documentation
for migration.

However, it was unclear how long customers would be able to use SimpleSAMLphp
with support from Univention.

Maintenance for SimpleSAMLphp at least until End of 2024

SimpleSAMLphp is an integral part of UCS 5.0 and will continue to be supported
with all future patch level releases of UCS 5.0. Enterprise customers will
continue to receive support for UCS 5.0 for at least one
year after the
release of the next minor release, UCS 5.2. While work on UCS 5.2 is
progressing, we currently anticipate that it will only be released during
2024. Therefore, we will continue to provide security updates and support for
UCS 5.0 to our enterprise customers throughout 2024.

However, the ongoing work on the migration and on UCS 5.2 has also shown us
that supporting both implementations at the same time will not only result in
additional work for Univention and for application vendors, but will also
limit the depth of integration and functionality of Keycloak in UCS. We have
therefore decided to discontinue support for SimpleSAMLphp and the Kopano
Konnect based on it in UCS 5.2.

What Does This Mean for Existing UCS Installations?

Nothing at first. The installed systems will continue to be supported by
Univention until at least the end of 2024. Regardless of whether an
implementation is used at all, and regardless of which implementation is used
for web single sign-on.

For the upgrade to the next minor release UCS
5.2, however, it will be necessary to replace SimpleSAMLphp and
Kopano Konnect with Keycloak in the UCS domain. Mixed environments with
Keycloak and active SimpleSAMLphp are only possible as long as no system has
been upgraded to UCS 5.2. We have documented the necessary steps to migrate to
Keycloak in a migration guide, which also describes how this process can be done unnoticed by
end users.

Our recommendation is therefore:

• If you currently use UCS with SimpleSAMLphp, please plan to migrate to Keycloak in the next few months.
• If you are setting up new environments with UCS today, use Keycloak from the beginning to connect services via web single sign-on.

If you have any questions about the migration, our enterprise customers can
use the support channels, and all users can visit our help
forum.

Der Beitrag SimpleSAMLphp and Kopano Konnect Deprecated – Keycloak Will Be
the Only IDP in UCS 5.2 erschien zuerst auf
Univention.

link