{"id":48296424,"url":"https://github.com/univention/univention-keycloak-app","last_synced_at":"2026-04-04T23:35:18.863Z","repository":{"id":206045224,"uuid":"626879283","full_name":"univention/univention-keycloak-app","owner":"univention","description":"Mirrored Repo for the Keycloak App, for tracking the code that will be uploaded to the provider portal.","archived":false,"fork":false,"pushed_at":"2026-03-25T18:21:54.000Z","size":23681,"stargazers_count":0,"open_issues_count":3,"forks_count":4,"subscribers_count":2,"default_branch":"main","last_synced_at":"2026-03-25T22:36:56.198Z","etag":null,"topics":["keycloak","oidc","saml","univention","univention-corporate-server"],"latest_commit_sha":null,"homepage":"","language":"Java","has_issues":false,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/univention.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2023-04-12T10:44:25.000Z","updated_at":"2026-03-25T18:21:58.000Z","dependencies_parsed_at":"2023-12-11T14:33:30.358Z","dependency_job_id":"834083e7-0507-4ab2-8e9f-b09bf9573bb0","html_url":"https://github.com/univention/univention-keycloak-app","commit_stats":null,"previous_names":["univention/univention-keycloak-app"],"tags_count":116,"template":false,"template_full_name":null,"purl":"pkg:github/univention/univention-keycloak-app","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/univention%2Funivention-keycloak-app","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/univention%2Funivention-keycloak-app/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/univention%2Funivention-keycloak-app/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/univention%2Funivention-keycloak-app/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/univention","download_url":"https://codeload.github.com/univention/univention-keycloak-app/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/univention%2Funivention-keycloak-app/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31419537,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-04T20:09:54.854Z","status":"ssl_error","status_checked_at":"2026-04-04T20:09:44.350Z","response_time":60,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["keycloak","oidc","saml","univention","univention-corporate-server"],"created_at":"2026-04-04T23:35:18.319Z","updated_at":"2026-04-04T23:35:18.854Z","avatar_url":"https://github.com/univention.png","language":"Java","funding_links":[],"categories":[],"sub_categories":[],"readme":"_[TOC]_\n\nThis repository contains the components of the Keycloak App for the UCS Appcenter.\n\n# App base\n\nThe app uses [Keycloak](https://www.keycloak.org/docs/17.0/) to provide a SAML and OpenID Connect provider.\n\nThe docker image used in the app is [build based on the UCS 5.2 base image](https://git.knut.univention.de/univention/dev/projects/keycloak/keycloak-app/-/blob/main/Dockerfile?ref_type=heads).\n\n# Realm Configuration\n\n* Keycloak comes with a Realm `master` by default.\n* Additionally the UCS Keycloak App creates a realm `UCS`.\n\n# LDAP User Federation\n\n* This Keycloak App is configured to use \"User Federation\" in the Keycloak Realm named \"UCS\".\n* The \"User Federation\" configured in the `UCS` uses `uid=sys-idp-user,cn=users,$ldap_base` to bind to OpenLDAP.\n* The \"User Federation\" is configured to **not** sync user accounts from LDAP to Keycloak.\n\n# SAML Support\n\n* Keycloak automatically acts as SAML IdP. For each SP (SAML or OIDC) a \"Client\" configuration needs to be created\n  in Keycloak.\n    * In its initial version, the Keycloak App creates a \"Client\" for the UMC on the FQDN of the host\n      which it is installed on.\n* Keycloak can be configured to federate out to other IdPs. If several authentication sources are possible,\n  e.g. a \"User federation\" and two external IdPs then Keycloak will show a login page to the user, where the user\n  needs to select the method. There are ways to preselect (either hardcode in Keycloak config or pass `\u0026kc_idp_hint=foo`\n  with the login URL). Keycloak will not iterate over possible authentication sources. Names may need to get\n  mapped to ensure uniqueness. See Keycloak docs for details.\n\n# OIDC Support\n\nTODO: Anything special to explain here?\n\n# Configuration\n\nThe app can be configured with app settings.\n\nTo integrate other services, they often require URIs for the identity provider endpoints, they are available at `https://ucs-sso-ng.$(hostname -d)/.well-known/openid-configuration`\n\nTODO: Update the following statement, probably outdated with the change from `keycloak.$(hostname -f)` to `ucs-sso-ng.$(hostname -d)`:\n\nThe apache2 reverse proxy config is at `/var/lib/univention-appcenter/apps/keycloak/config/vhost.conf` and there are some UCR variables `apache2/vhosts/.*` set autoamtically during join via the joinscript `/usr/lib/univention-install/50keycloak.inst` installed on the host (uploaded to the [provider-portal](https://provider-portal.software-univention.de) as [app/inst](app/inst) ).\n\n# Internals\n\nSee [app/](app/) for app center integration files and\nhttps://docs.software-univention.de/app-center/5.0/en/configurations.html#installation-scripts\n\n\n## Special use case: Ad-Hoc-Provisioning using the \"univention-authenticator\" Keycloak SPI\n* The \"univention-authenticator\" Keycloak SPI is an extension written in Java.\n* It is shipped as part of the UCS Keycloak App, but not configured by default.\n* If configured properly (TODO: details pending) it allows creating a \"shadow user account\" in UDM after\n  successful authentication against an external IdP (see page 13 of the [Summit presentation](https://www.slideshare.net/Univention/modularisierung-und-containerisierung-von-ucs).\n\n# Documentation\n\nFor latest version of the documentation, see [Univention Keycloak app documentation](http://docs.software-univention.de/keycloak-app/latest/)\n\n# Dev Documentation\n* Test, pipelines, releases, tips \u0026 tricks - [docs-dev/README-testing-release.md](docs-dev/README-testing-release.md)\n* Legacy app authorization - [docs-dev/README-appauth.md](docs-dev/README-appauth.md)\n* Themes and templates - [docs-dev/README-themes-template.md](docs-dev/README-themes-template.md)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Funivention%2Funivention-keycloak-app","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Funivention%2Funivention-keycloak-app","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Funivention%2Funivention-keycloak-app/lists"}