sheppy/opendesk
1
0
Fork 0
mirror of https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk.git synced 2025-12-06 07:21:36 +01:00
Code Issues Packages Projects Releases Wiki Activity

fix(nubus): Remove legacy UMC Keycloak client that was used for SAML connection with the Nubus portal

Browse Source
This commit is contained in:
Thorsten Roßner
2025-10-30 12:14:46 +01:00
parent 7aa717c050
commit 152221fa79
3 changed files with 39 additions and 44 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
docs/architecture.md
View File

@@ -129,7 +129,7 @@ An overview of
- components that consume the LDAP service. - components that consume the LDAP service.
- The components access the LDAP using a component-specific LDAP search account. - The components access the LDAP using a component-specific LDAP search account.
- components using Univention Keycloak as an identity provider (IdP). - components using Univention Keycloak as an identity provider (IdP).
- The components should use OAuth2 / OIDC flows if not otherwise denoted. - All components use OAuth2 / OIDC flows.
- All components have a client configured in Keycloak. - All components have a client configured in Keycloak.
Some components trust others to handle authentication for them. Some components trust others to handle authentication for them.
@@ -148,7 +148,7 @@ flowchart TD
D-->K D-->K
O-->K O-->K
X-->K X-->K
P-->|SAML|K P-->K
E[Element]-->K E[Element]-->K
J[Jitsi]-->K J[Jitsi]-->K
I[IntercomService]-->K I[IntercomService]-->K
@@ -184,11 +184,6 @@ sequenceDiagram
Note over Browser: User is authenticated Note over Browser: User is authenticated
``` ```
> [!note]
> Nubus' Portal and UMC still use [SAML 2.0](https://www.oasis-open.org/standard/saml/) to authenticate
> users. However, Nubus will switch to OIDC in an upcoming release, eliminating the use of SAML in openDesk
> altogether.
## Keycloak ## Keycloak
[Keycloak](https://www.keycloak.org/) is an open-source identity and access management solution for web based applications and services. It provides features such as single sign-on, multi-factor authentication, user federation, and centralized user management. [Keycloak](https://www.keycloak.org/) is an open-source identity and access management solution for web based applications and services. It provides features such as single sign-on, multi-factor authentication, user federation, and centralized user management.

70
docs/migrations.md
View File

@@ -8,14 +8,14 @@ SPDX-License-Identifier: Apache-2.0
<!-- TOC --> <!-- TOC -->
* [Disclaimer](#disclaimer) * [Disclaimer](#disclaimer)
* [Deprecation warnings](#deprecation-warnings) * [Deprecation warnings](#deprecation-warnings)
* [Automated migrations - Overview and mandatory upgrade path](#automated-migrations---overview-and-mandatory-upgrade-path) * [Overview and mandatory upgrade path](#overview-and-mandatory-upgrade-path)
* [Manual checks/actions](#manual-checksactions) * [Manual checks/actions](#manual-checksactions)
* [Versions &GreaterEqual; v1.9.0](#versions--v190) * [Versions v1.9.0](#versions--v190)
* [Pre-upgrade to versions &GreaterEqual; v1.9.0](#pre-upgrade-to-versions--v190) * [Pre-upgrade to versions v1.9.0](#pre-upgrade-to-versions--v190)
* [Helmfile fix: Cassandra passwords read from `databases.*`](#helmfile-fix-cassandra-passwords-read-from-databases) * [Helmfile fix: Cassandra passwords read from `databases.*`](#helmfile-fix-cassandra-passwords-read-from-databases)
* [Helmfile new feature: `functional.groupware.externalClients.*`](#helmfile-new-feature-functionalgroupwareexternalclients) * [Helmfile new feature: `functional.groupware.externalClients.*`](#helmfile-new-feature-functionalgroupwareexternalclients)
* [Versions &GreaterEqual; v1.8.0](#versions--v180) * [Versions v1.8.0](#versions--v180)
* [Pre-upgrade to versions &GreaterEqual; v1.8.0](#pre-upgrade-to-versions--v180) * [Pre-upgrade to versions v1.8.0](#pre-upgrade-to-versions--v180)
* [New application default: Default group for two-factor authentication is now "2FA Users"](#new-application-default-default-group-for-two-factor-authentication-is-now-2fa-users) * [New application default: Default group for two-factor authentication is now "2FA Users"](#new-application-default-default-group-for-two-factor-authentication-is-now-2fa-users)
* [New database and secrets: Portal now uses OIDC](#new-database-and-secrets-portal-now-uses-oidc) * [New database and secrets: Portal now uses OIDC](#new-database-and-secrets-portal-now-uses-oidc)
* [New application default: XWiki blocks self-registration of user accounts](#new-application-default-xwiki-blocks-self-registration-of-user-accounts) * [New application default: XWiki blocks self-registration of user accounts](#new-application-default-xwiki-blocks-self-registration-of-user-accounts)
@@ -24,39 +24,39 @@ SPDX-License-Identifier: Apache-2.0
* [Helmfile new default: New groupware settings changing current behaviour](#helmfile-new-default-new-groupware-settings-changing-current-behaviour) * [Helmfile new default: New groupware settings changing current behaviour](#helmfile-new-default-new-groupware-settings-changing-current-behaviour)
* [New application default: Nextcloud apps "Spreed" and "Comments" no longer enabled by default](#new-application-default-nextcloud-apps-spreed-and-comments-no-longer-enabled-by-default) * [New application default: Nextcloud apps "Spreed" and "Comments" no longer enabled by default](#new-application-default-nextcloud-apps-spreed-and-comments-no-longer-enabled-by-default)
* [New application default: Gravatar is switched off for Jitsi and OpenProject](#new-application-default-gravatar-is-switched-off-for-jitsi-and-openproject) * [New application default: Gravatar is switched off for Jitsi and OpenProject](#new-application-default-gravatar-is-switched-off-for-jitsi-and-openproject)
* [Versions &GreaterEqual; v1.7.0](#versions--v170) * [Versions v1.7.0](#versions--v170)
* [Pre-upgrade to versions &GreaterEqual; v1.7.0](#pre-upgrade-to-versions--v170) * [Pre-upgrade to versions v1.7.0](#pre-upgrade-to-versions--v170)
* [Helmfile fix: Ensure enterprise overrides apply when deploying from project root](#helmfile-fix-ensure-enterprise-overrides-apply-when-deploying-from-project-root) * [Helmfile fix: Ensure enterprise overrides apply when deploying from project root](#helmfile-fix-ensure-enterprise-overrides-apply-when-deploying-from-project-root)
* [Replace Helm chart: New Notes Helm chart with support for self-signed deployments](#replace-helm-chart-new-notes-helm-chart-with-support-for-self-signed-deployments) * [Replace Helm chart: New Notes Helm chart with support for self-signed deployments](#replace-helm-chart-new-notes-helm-chart-with-support-for-self-signed-deployments)
* [Post-upgrade to versions &GreaterEqual; v1.7.0](#post-upgrade-to-versions--v170) * [Post-upgrade to versions v1.7.0](#post-upgrade-to-versions--v170)
* [Upstream fix: Provisioning of functional mailboxes](#upstream-fix-provisioning-of-functional-mailboxes) * [Upstream fix: Provisioning of functional mailboxes](#upstream-fix-provisioning-of-functional-mailboxes)
* [Versions &GreaterEqual; v1.6.0](#versions--v160) * [Versions v1.6.0](#versions--v160)
* [Pre-upgrade to versions &GreaterEqual; v1.6.0](#pre-upgrade-to-versions--v160) * [Pre-upgrade to versions v1.6.0](#pre-upgrade-to-versions--v160)
* [Upstream constraint: Nubus' external secrets](#upstream-constraint-nubus-external-secrets) * [Upstream constraint: Nubus' external secrets](#upstream-constraint-nubus-external-secrets)
* [Helmfile new secret: `secrets.minio.openxchangeUser`](#helmfile-new-secret-secretsminioopenxchangeuser) * [Helmfile new secret: `secrets.minio.openxchangeUser`](#helmfile-new-secret-secretsminioopenxchangeuser)
* [Helmfile new object storage: `objectstores.openxchange.*`](#helmfile-new-object-storage-objectstoresopenxchange) * [Helmfile new object storage: `objectstores.openxchange.*`](#helmfile-new-object-storage-objectstoresopenxchange)
* [OX App Suite fix-up: Using S3 as storage for non mail attachments (pre-upgrade)](#ox-app-suite-fix-up-using-s3-as-storage-for-non-mail-attachments-pre-upgrade) * [OX App Suite fix-up: Using S3 as storage for non mail attachments (pre-upgrade)](#ox-app-suite-fix-up-using-s3-as-storage-for-non-mail-attachments-pre-upgrade)
* [Post-upgrade to versions &GreaterEqual; v1.6.0](#post-upgrade-to-versions--v160) * [Post-upgrade to versions v1.6.0](#post-upgrade-to-versions--v160)
* [OX App Suite fix-up: Using S3 as storage for non mail attachments (post-upgrade)](#ox-app-suite-fix-up-using-s3-as-storage-for-non-mail-attachments-post-upgrade) * [OX App Suite fix-up: Using S3 as storage for non mail attachments (post-upgrade)](#ox-app-suite-fix-up-using-s3-as-storage-for-non-mail-attachments-post-upgrade)
* [Versions &GreaterEqual; v1.4.0](#versions--v140) * [Versions v1.4.0](#versions--v140)
* [Pre-upgrade to versions &GreaterEqual; v1.4.0](#pre-upgrade-to-versions--v140) * [Pre-upgrade to versions v1.4.0](#pre-upgrade-to-versions--v140)
* [Helmfile cleanup: `global.additionalMailDomains` as list](#helmfile-cleanup-globaladditionalmaildomains-as-list) * [Helmfile cleanup: `global.additionalMailDomains` as list](#helmfile-cleanup-globaladditionalmaildomains-as-list)
* [Versions &GreaterEqual; v1.3.0](#versions--v130) * [Versions v1.3.0](#versions--v130)
* [Pre-upgrade to versions &GreaterEqual; v1.3.0](#pre-upgrade-to-versions--v130) * [Pre-upgrade to versions v1.3.0](#pre-upgrade-to-versions--v130)
* [Helmfile new feature: `functional.authentication.ssoFederation`](#helmfile-new-feature-functionalauthenticationssofederation) * [Helmfile new feature: `functional.authentication.ssoFederation`](#helmfile-new-feature-functionalauthenticationssofederation)
* [Versions &GreaterEqual; v1.2.0](#versions--v120) * [Versions v1.2.0](#versions--v120)
* [Pre-upgrade to versions &GreaterEqual; v1.2.0](#pre-upgrade-to-versions--v120) * [Pre-upgrade to versions v1.2.0](#pre-upgrade-to-versions--v120)
* [Helmfile cleanup: Do not configure OX provisioning when no OX installed](#helmfile-cleanup-do-not-configure-ox-provisioning-when-no-ox-installed) * [Helmfile cleanup: Do not configure OX provisioning when no OX installed](#helmfile-cleanup-do-not-configure-ox-provisioning-when-no-ox-installed)
* [Helmfile new default: PostgreSQL for XWiki and Nextcloud](#helmfile-new-default-postgresql-for-xwiki-and-nextcloud) * [Helmfile new default: PostgreSQL for XWiki and Nextcloud](#helmfile-new-default-postgresql-for-xwiki-and-nextcloud)
* [Versions &GreaterEqual; v1.1.2](#versions--v112) * [Versions v1.1.2](#versions--v112)
* [Pre-upgrade to versions &GreaterEqual; v1.1.2](#pre-upgrade-to-versions--v112) * [Pre-upgrade to versions v1.1.2](#pre-upgrade-to-versions--v112)
* [Helmfile feature update: App settings wrapped in `apps.` element](#helmfile-feature-update-app-settings-wrapped-in-apps-element) * [Helmfile feature update: App settings wrapped in `apps.` element](#helmfile-feature-update-app-settings-wrapped-in-apps-element)
* [Versions &GreaterEqual; v1.1.1](#versions--v111) * [Versions v1.1.1](#versions--v111)
* [Pre-upgrade to versions &GreaterEqual; v1.1.1](#pre-upgrade-to-versions--v111) * [Pre-upgrade to versions v1.1.1](#pre-upgrade-to-versions--v111)
* [Helmfile feature update: Component specific `storageClassName`](#helmfile-feature-update-component-specific-storageclassname) * [Helmfile feature update: Component specific `storageClassName`](#helmfile-feature-update-component-specific-storageclassname)
* [Helmfile new secret: `secrets.nubus.masterpassword`](#helmfile-new-secret-secretsnubusmasterpassword) * [Helmfile new secret: `secrets.nubus.masterpassword`](#helmfile-new-secret-secretsnubusmasterpassword)
* [Versions &GreaterEqual; v1.1.0](#versions--v110) * [Versions v1.1.0](#versions--v110)
* [Pre-upgrade to versions &GreaterEqual; v1.1.0](#pre-upgrade-to-versions--v110) * [Pre-upgrade to versions v1.1.0](#pre-upgrade-to-versions--v110)
* [Helmfile cleanup: Restructured `/helmfile/files/theme` folder](#helmfile-cleanup-restructured-helmfilefilestheme-folder) * [Helmfile cleanup: Restructured `/helmfile/files/theme` folder](#helmfile-cleanup-restructured-helmfilefilestheme-folder)
* [Helmfile cleanup: Consistent use of `*.yaml.gotmpl`](#helmfile-cleanup-consistent-use-of-yamlgotmpl) * [Helmfile cleanup: Consistent use of `*.yaml.gotmpl`](#helmfile-cleanup-consistent-use-of-yamlgotmpl)
* [Helmfile cleanup: Prefixing certain app directories with `opendesk-`](#helmfile-cleanup-prefixing-certain-app-directories-with-opendesk-) * [Helmfile cleanup: Prefixing certain app directories with `opendesk-`](#helmfile-cleanup-prefixing-certain-app-directories-with-opendesk-)
@@ -66,10 +66,10 @@ SPDX-License-Identifier: Apache-2.0
* [openDesk defaults (new): Enforce login](#opendesk-defaults-new-enforce-login) * [openDesk defaults (new): Enforce login](#opendesk-defaults-new-enforce-login)
* [openDesk defaults (changed): Jitsi room history enabled](#opendesk-defaults-changed-jitsi-room-history-enabled) * [openDesk defaults (changed): Jitsi room history enabled](#opendesk-defaults-changed-jitsi-room-history-enabled)
* [External requirements: Redis 7.4](#external-requirements-redis-74) * [External requirements: Redis 7.4](#external-requirements-redis-74)
* [Post-upgrade to versions &GreaterEqual; v1.1.0](#post-upgrade-to-versions--v110) * [Post-upgrade to versions v1.1.0](#post-upgrade-to-versions--v110)
* [XWiki fix-ups](#xwiki-fix-ups) * [XWiki fix-ups](#xwiki-fix-ups)
* [Versions &GreaterEqual; v1.0.0](#versions--v100) * [Versions v1.0.0](#versions--v100)
* [Pre-upgrade to versions &GreaterEqual; v1.0.0](#pre-upgrade-to-versions--v100) * [Pre-upgrade to versions v1.0.0](#pre-upgrade-to-versions--v100)
* [Configuration Cleanup: Removal of unnecessary OX-Profiles in Nubus](#configuration-cleanup-removal-of-unnecessary-ox-profiles-in-nubus) * [Configuration Cleanup: Removal of unnecessary OX-Profiles in Nubus](#configuration-cleanup-removal-of-unnecessary-ox-profiles-in-nubus)
* [Configuration Cleanup: Updated `global.imagePullSecrets`](#configuration-cleanup-updated-globalimagepullsecrets) * [Configuration Cleanup: Updated `global.imagePullSecrets`](#configuration-cleanup-updated-globalimagepullsecrets)
* [Changed openDesk defaults: Matrix presence status disabled](#changed-opendesk-defaults-matrix-presence-status-disabled) * [Changed openDesk defaults: Matrix presence status disabled](#changed-opendesk-defaults-matrix-presence-status-disabled)
@@ -77,17 +77,17 @@ SPDX-License-Identifier: Apache-2.0
* [Changed openDesk defaults: File-share configurability](#changed-opendesk-defaults-file-share-configurability) * [Changed openDesk defaults: File-share configurability](#changed-opendesk-defaults-file-share-configurability)
* [Changed openDesk defaults: Updated default subdomains in `global.hosts`](#changed-opendesk-defaults-updated-default-subdomains-in-globalhosts) * [Changed openDesk defaults: Updated default subdomains in `global.hosts`](#changed-opendesk-defaults-updated-default-subdomains-in-globalhosts)
* [Changed openDesk defaults: Dedicated group for access to the UDM REST API](#changed-opendesk-defaults-dedicated-group-for-access-to-the-udm-rest-api) * [Changed openDesk defaults: Dedicated group for access to the UDM REST API](#changed-opendesk-defaults-dedicated-group-for-access-to-the-udm-rest-api)
* [Post-upgrade to versions &GreaterEqual; v1.0.0](#post-upgrade-to-versions--v100) * [Post-upgrade to versions v1.0.0](#post-upgrade-to-versions--v100)
* [Configuration Improvement: Separate user permission for using Video Conference component](#configuration-improvement-separate-user-permission-for-using-video-conference-component) * [Configuration Improvement: Separate user permission for using Video Conference component](#configuration-improvement-separate-user-permission-for-using-video-conference-component)
* [Optional Cleanup](#optional-cleanup) * [Optional Cleanup](#optional-cleanup)
* [Automated migrations - Details](#automated-migrations---details) * [Automated migrations - Details](#automated-migrations---details)
* [Versions &GreaterEqual; v1.6.0 (automated)](#versions--v160-automated) * [Versions v1.6.0 (automated)](#versions--v160-automated)
* [Versions &GreaterEqual; v1.6.0 migrations-post](#versions--v160-migrations-post) * [Versions v1.6.0 migrations-post](#versions--v160-migrations-post)
* [Versions &GreaterEqual; v1.2.0 (automated)](#versions--v120-automated) * [Versions v1.2.0 (automated)](#versions--v120-automated)
* [Versions &GreaterEqual; v1.2.0 migrations-pre](#versions--v120-migrations-pre) * [Versions v1.2.0 migrations-pre](#versions--v120-migrations-pre)
* [Versions &GreaterEqual; v1.2.0 migrations-post](#versions--v120-migrations-post) * [Versions v1.2.0 migrations-post](#versions--v120-migrations-post)
* [Versions &GreaterEqual; v1.1.0 (automated)](#versions--v110-automated) * [Versions v1.1.0 (automated)](#versions--v110-automated)
* [Versions &GreaterEqual; v1.0.0 (automated)](#versions--v100-automated) * [Versions v1.0.0 (automated)](#versions--v100-automated)
* [Related components and artifacts](#related-components-and-artifacts) * [Related components and artifacts](#related-components-and-artifacts)
* [Development](#development) * [Development](#development)
<!-- TOC --> <!-- TOC -->
@@ -237,7 +237,7 @@ The portal has been migrated to use OIDC for single sign-on by default. This int
- `secrets.postgresql.umsAuthSessionUser`: For internal databases, set the secret for the database user here. If you are using an external database, you already provide these credentials in the New database step above. - `secrets.postgresql.umsAuthSessionUser`: For internal databases, set the secret for the database user here. If you are using an external database, you already provide these credentials in the New database step above.
> [!note] > [!note]
> The SAML Client for the Nubus portal is still preserved in Keycloak and will be removed in one of the next openDesk releases. > The SAML Client for the Nubus portal is still preserved in Keycloak and is going to be removed with openDesk 1.10.0.
#### New application default: XWiki blocks self-registration of user accounts #### New application default: XWiki blocks self-registration of user accounts

2
helmfile/apps/nubus/values-opendesk-keycloak-bootstrap.yaml.gotmpl
View File

@@ -84,7 +84,7 @@ config:
managed: managed:
clientScopes: [ 'acr', 'web-origins', 'email', 'profile', 'microprofile-jwt', 'role_list', clientScopes: [ 'acr', 'web-origins', 'email', 'profile', 'microprofile-jwt', 'role_list',
'offline_access', 'roles', 'address', 'phone' ] 'offline_access', 'roles', 'address', 'phone' ]
clients: [ 'guardian-management-api', 'guardian-scripts', 'guardian-ui', 'UMC', 'UMC OIDC', '${client_account}', clients: [ 'guardian-management-api', 'guardian-scripts', 'guardian-ui', 'UMC OIDC', '${client_account}',
'${client_account-console}', '${client_admin-cli}', '${client_broker}', '${client_realm-management}', '${client_account-console}', '${client_admin-cli}', '${client_broker}', '${client_realm-management}',
'${client_security-admin-console}' ] '${client_security-admin-console}' ]
keycloak: keycloak: