fix(nubus): Remove legacy UMC Keycloak client that was used for SAML connection with the Nubus portal

docs/architecture.md

@@ -129,7 +129,7 @@ An overview of
 - components that consume the LDAP service.
   - The components access the LDAP using a component-specific LDAP search account.
 - components using Univention Keycloak as an identity provider (IdP).
-  - The components should use OAuth2 / OIDC flows if not otherwise denoted.
+  - All components use OAuth2 / OIDC flows.
   - All components have a client configured in Keycloak.
 
 Some components trust others to handle authentication for them.
@@ -148,7 +148,7 @@ flowchart TD
  D-->K
  O-->K
  X-->K
- P-->|SAML|K
+ P-->K
  E[Element]-->K
  J[Jitsi]-->K
  I[IntercomService]-->K
@@ -184,11 +184,6 @@ sequenceDiagram
     Note over Browser: User is authenticated
 ```
 
-> [!note]
-> Nubus' Portal and UMC still use [SAML 2.0](https://www.oasis-open.org/standard/saml/) to authenticate
-> users. However, Nubus will switch to OIDC in an upcoming release, eliminating the use of SAML in openDesk
-> altogether.
-
 ## Keycloak
 
 [Keycloak](https://www.keycloak.org/) is an open-source identity and access management solution for web based applications and services. It provides features such as single sign-on, multi-factor authentication, user federation, and centralized user management.

docs/migrations.md

@@ -8,14 +8,14 @@ SPDX-License-Identifier: Apache-2.0
 <!-- TOC -->
 * [Disclaimer](#disclaimer)
 * [Deprecation warnings](#deprecation-warnings)
-* [Automated migrations - Overview and mandatory upgrade path](#automated-migrations---overview-and-mandatory-upgrade-path)
+* [Overview and mandatory upgrade path](#overview-and-mandatory-upgrade-path)
 * [Manual checks/actions](#manual-checksactions)
-  * [Versions &GreaterEqual; v1.9.0](#versions--v190)
-    * [Pre-upgrade to versions &GreaterEqual; v1.9.0](#pre-upgrade-to-versions--v190)
+  * [Versions ≥ v1.9.0](#versions--v190)
+    * [Pre-upgrade to versions ≥ v1.9.0](#pre-upgrade-to-versions--v190)
       * [Helmfile fix: Cassandra passwords read from `databases.*`](#helmfile-fix-cassandra-passwords-read-from-databases)
       * [Helmfile new feature: `functional.groupware.externalClients.*`](#helmfile-new-feature-functionalgroupwareexternalclients)
-  * [Versions &GreaterEqual; v1.8.0](#versions--v180)
-    * [Pre-upgrade to versions &GreaterEqual; v1.8.0](#pre-upgrade-to-versions--v180)
+  * [Versions ≥ v1.8.0](#versions--v180)
+    * [Pre-upgrade to versions ≥ v1.8.0](#pre-upgrade-to-versions--v180)
       * [New application default: Default group for two-factor authentication is now "2FA Users"](#new-application-default-default-group-for-two-factor-authentication-is-now-2fa-users)
       * [New database and secrets: Portal now uses OIDC](#new-database-and-secrets-portal-now-uses-oidc)
       * [New application default: XWiki blocks self-registration of user accounts](#new-application-default-xwiki-blocks-self-registration-of-user-accounts)
@@ -24,39 +24,39 @@ SPDX-License-Identifier: Apache-2.0
       * [Helmfile new default: New groupware settings changing current behaviour](#helmfile-new-default-new-groupware-settings-changing-current-behaviour)
       * [New application default: Nextcloud apps "Spreed" and "Comments" no longer enabled by default](#new-application-default-nextcloud-apps-spreed-and-comments-no-longer-enabled-by-default)
       * [New application default: Gravatar is switched off for Jitsi and OpenProject](#new-application-default-gravatar-is-switched-off-for-jitsi-and-openproject)
-  * [Versions &GreaterEqual; v1.7.0](#versions--v170)
-    * [Pre-upgrade to versions &GreaterEqual; v1.7.0](#pre-upgrade-to-versions--v170)
+  * [Versions ≥ v1.7.0](#versions--v170)
+    * [Pre-upgrade to versions ≥ v1.7.0](#pre-upgrade-to-versions--v170)
       * [Helmfile fix: Ensure enterprise overrides apply when deploying from project root](#helmfile-fix-ensure-enterprise-overrides-apply-when-deploying-from-project-root)
       * [Replace Helm chart: New Notes Helm chart with support for self-signed deployments](#replace-helm-chart-new-notes-helm-chart-with-support-for-self-signed-deployments)
-    * [Post-upgrade to versions &GreaterEqual; v1.7.0](#post-upgrade-to-versions--v170)
+    * [Post-upgrade to versions ≥ v1.7.0](#post-upgrade-to-versions--v170)
       * [Upstream fix: Provisioning of functional mailboxes](#upstream-fix-provisioning-of-functional-mailboxes)
-  * [Versions &GreaterEqual; v1.6.0](#versions--v160)
-    * [Pre-upgrade to versions &GreaterEqual; v1.6.0](#pre-upgrade-to-versions--v160)
+  * [Versions ≥ v1.6.0](#versions--v160)
+    * [Pre-upgrade to versions ≥ v1.6.0](#pre-upgrade-to-versions--v160)
       * [Upstream constraint: Nubus' external secrets](#upstream-constraint-nubus-external-secrets)
       * [Helmfile new secret: `secrets.minio.openxchangeUser`](#helmfile-new-secret-secretsminioopenxchangeuser)
       * [Helmfile new object storage: `objectstores.openxchange.*`](#helmfile-new-object-storage-objectstoresopenxchange)
       * [OX App Suite fix-up: Using S3 as storage for non mail attachments (pre-upgrade)](#ox-app-suite-fix-up-using-s3-as-storage-for-non-mail-attachments-pre-upgrade)
-    * [Post-upgrade to versions &GreaterEqual; v1.6.0](#post-upgrade-to-versions--v160)
+    * [Post-upgrade to versions ≥ v1.6.0](#post-upgrade-to-versions--v160)
       * [OX App Suite fix-up: Using S3 as storage for non mail attachments (post-upgrade)](#ox-app-suite-fix-up-using-s3-as-storage-for-non-mail-attachments-post-upgrade)
-  * [Versions &GreaterEqual; v1.4.0](#versions--v140)
-    * [Pre-upgrade to versions &GreaterEqual; v1.4.0](#pre-upgrade-to-versions--v140)
+  * [Versions ≥ v1.4.0](#versions--v140)
+    * [Pre-upgrade to versions ≥ v1.4.0](#pre-upgrade-to-versions--v140)
       * [Helmfile cleanup: `global.additionalMailDomains` as list](#helmfile-cleanup-globaladditionalmaildomains-as-list)
-  * [Versions &GreaterEqual; v1.3.0](#versions--v130)
-    * [Pre-upgrade to versions &GreaterEqual; v1.3.0](#pre-upgrade-to-versions--v130)
+  * [Versions ≥ v1.3.0](#versions--v130)
+    * [Pre-upgrade to versions ≥ v1.3.0](#pre-upgrade-to-versions--v130)
       * [Helmfile new feature: `functional.authentication.ssoFederation`](#helmfile-new-feature-functionalauthenticationssofederation)
-  * [Versions &GreaterEqual; v1.2.0](#versions--v120)
-    * [Pre-upgrade to versions &GreaterEqual; v1.2.0](#pre-upgrade-to-versions--v120)
+  * [Versions ≥ v1.2.0](#versions--v120)
+    * [Pre-upgrade to versions ≥ v1.2.0](#pre-upgrade-to-versions--v120)
       * [Helmfile cleanup: Do not configure OX provisioning when no OX installed](#helmfile-cleanup-do-not-configure-ox-provisioning-when-no-ox-installed)
       * [Helmfile new default: PostgreSQL for XWiki and Nextcloud](#helmfile-new-default-postgresql-for-xwiki-and-nextcloud)
-  * [Versions &GreaterEqual; v1.1.2](#versions--v112)
-    * [Pre-upgrade to versions &GreaterEqual; v1.1.2](#pre-upgrade-to-versions--v112)
+  * [Versions ≥ v1.1.2](#versions--v112)
+    * [Pre-upgrade to versions ≥ v1.1.2](#pre-upgrade-to-versions--v112)
       * [Helmfile feature update: App settings wrapped in `apps.` element](#helmfile-feature-update-app-settings-wrapped-in-apps-element)
-  * [Versions &GreaterEqual; v1.1.1](#versions--v111)
-    * [Pre-upgrade to versions &GreaterEqual; v1.1.1](#pre-upgrade-to-versions--v111)
+  * [Versions ≥ v1.1.1](#versions--v111)
+    * [Pre-upgrade to versions ≥ v1.1.1](#pre-upgrade-to-versions--v111)
       * [Helmfile feature update: Component specific `storageClassName`](#helmfile-feature-update-component-specific-storageclassname)
       * [Helmfile new secret: `secrets.nubus.masterpassword`](#helmfile-new-secret-secretsnubusmasterpassword)
-  * [Versions &GreaterEqual; v1.1.0](#versions--v110)
-    * [Pre-upgrade to versions &GreaterEqual; v1.1.0](#pre-upgrade-to-versions--v110)
+  * [Versions ≥ v1.1.0](#versions--v110)
+    * [Pre-upgrade to versions ≥ v1.1.0](#pre-upgrade-to-versions--v110)
       * [Helmfile cleanup: Restructured `/helmfile/files/theme` folder](#helmfile-cleanup-restructured-helmfilefilestheme-folder)
       * [Helmfile cleanup: Consistent use of `*.yaml.gotmpl`](#helmfile-cleanup-consistent-use-of-yamlgotmpl)
       * [Helmfile cleanup: Prefixing certain app directories with `opendesk-`](#helmfile-cleanup-prefixing-certain-app-directories-with-opendesk-)
@@ -66,10 +66,10 @@ SPDX-License-Identifier: Apache-2.0
       * [openDesk defaults (new): Enforce login](#opendesk-defaults-new-enforce-login)
       * [openDesk defaults (changed): Jitsi room history enabled](#opendesk-defaults-changed-jitsi-room-history-enabled)
       * [External requirements: Redis 7.4](#external-requirements-redis-74)
-    * [Post-upgrade to versions &GreaterEqual; v1.1.0](#post-upgrade-to-versions--v110)
+    * [Post-upgrade to versions ≥ v1.1.0](#post-upgrade-to-versions--v110)
       * [XWiki fix-ups](#xwiki-fix-ups)
-  * [Versions &GreaterEqual; v1.0.0](#versions--v100)
-    * [Pre-upgrade to versions &GreaterEqual; v1.0.0](#pre-upgrade-to-versions--v100)
+  * [Versions ≥ v1.0.0](#versions--v100)
+    * [Pre-upgrade to versions ≥ v1.0.0](#pre-upgrade-to-versions--v100)
       * [Configuration Cleanup: Removal of unnecessary OX-Profiles in Nubus](#configuration-cleanup-removal-of-unnecessary-ox-profiles-in-nubus)
       * [Configuration Cleanup: Updated `global.imagePullSecrets`](#configuration-cleanup-updated-globalimagepullsecrets)
       * [Changed openDesk defaults: Matrix presence status disabled](#changed-opendesk-defaults-matrix-presence-status-disabled)
@@ -77,17 +77,17 @@ SPDX-License-Identifier: Apache-2.0
       * [Changed openDesk defaults: File-share configurability](#changed-opendesk-defaults-file-share-configurability)
       * [Changed openDesk defaults: Updated default subdomains in `global.hosts`](#changed-opendesk-defaults-updated-default-subdomains-in-globalhosts)
       * [Changed openDesk defaults: Dedicated group for access to the UDM REST API](#changed-opendesk-defaults-dedicated-group-for-access-to-the-udm-rest-api)
-    * [Post-upgrade to versions &GreaterEqual; v1.0.0](#post-upgrade-to-versions--v100)
+    * [Post-upgrade to versions ≥ v1.0.0](#post-upgrade-to-versions--v100)
       * [Configuration Improvement: Separate user permission for using Video Conference component](#configuration-improvement-separate-user-permission-for-using-video-conference-component)
       * [Optional Cleanup](#optional-cleanup)
 * [Automated migrations - Details](#automated-migrations---details)
-  * [Versions &GreaterEqual; v1.6.0 (automated)](#versions--v160-automated)
-    * [Versions &GreaterEqual; v1.6.0 migrations-post](#versions--v160-migrations-post)
-  * [Versions &GreaterEqual; v1.2.0 (automated)](#versions--v120-automated)
-    * [Versions &GreaterEqual; v1.2.0 migrations-pre](#versions--v120-migrations-pre)
-    * [Versions &GreaterEqual; v1.2.0 migrations-post](#versions--v120-migrations-post)
-  * [Versions &GreaterEqual; v1.1.0 (automated)](#versions--v110-automated)
-  * [Versions &GreaterEqual; v1.0.0 (automated)](#versions--v100-automated)
+  * [Versions ≥ v1.6.0 (automated)](#versions--v160-automated)
+    * [Versions ≥ v1.6.0 migrations-post](#versions--v160-migrations-post)
+  * [Versions ≥ v1.2.0 (automated)](#versions--v120-automated)
+    * [Versions ≥ v1.2.0 migrations-pre](#versions--v120-migrations-pre)
+    * [Versions ≥ v1.2.0 migrations-post](#versions--v120-migrations-post)
+  * [Versions ≥ v1.1.0 (automated)](#versions--v110-automated)
+  * [Versions ≥ v1.0.0 (automated)](#versions--v100-automated)
   * [Related components and artifacts](#related-components-and-artifacts)
   * [Development](#development)
 <!-- TOC -->
@@ -140,7 +140,7 @@ matching that constraint, though our links always point to the newest patch rele
 > 1. You are at v1.3.2 → pre steps for v1.4.0 to v1.5.0
 > 1. Upgrade to v1.5.0 → post steps for v1.4.0 to v1.5.0
 > 1. You are at v1.5.0 → pre steps for v1.6.0 to 1.7.1
-> 1. Upgrade to v1.7.1 → post steps for v1.6.0 to v1.7.1 
+> 1. Upgrade to v1.7.1 → post steps for v1.6.0 to v1.7.1
 
 <!-- IMPORTANT: Make sure to mark mandatory releases if an automatic migration requires a previous update to be installed -->
 | Version                                                                                 | Mandatory | Pre-Upgrade                                                                                                                 | Post-Upgrade                            | Minimum Required Previous Version            |
@@ -237,7 +237,7 @@ The portal has been migrated to use OIDC for single sign-on by default. This int
   - `secrets.postgresql.umsAuthSessionUser`: For internal databases, set the secret for the database user here. If you are using an external database, you already provide these credentials in the New database step above.
 
 > [!note]
-> The SAML Client for the Nubus portal is still preserved in Keycloak and will be removed in one of the next openDesk releases.
+> The SAML Client for the Nubus portal is still preserved in Keycloak and is going to be removed with openDesk 1.10.0.
 
 #### New application default: XWiki blocks self-registration of user accounts
 

helmfile/apps/nubus/values-opendesk-keycloak-bootstrap.yaml.gotmpl

@@ -84,7 +84,7 @@ config:
   managed:
     clientScopes: [ 'acr', 'web-origins', 'email', 'profile', 'microprofile-jwt', 'role_list',
                     'offline_access', 'roles', 'address', 'phone' ]
-    clients: [ 'guardian-management-api', 'guardian-scripts', 'guardian-ui', 'UMC', 'UMC OIDC', '${client_account}',
+    clients: [ 'guardian-management-api', 'guardian-scripts', 'guardian-ui', 'UMC OIDC', '${client_account}',
                '${client_account-console}', '${client_admin-cli}', '${client_broker}', '${client_realm-management}',
                '${client_security-admin-console}' ]
   keycloak: