Skip to content

Integration: Univention UCS

[ DE | EN ]

The following describes how to use UCS (Univention Corporate Server) from version 5.2 as an identity provider for an external OpenTalk installation. The necessary adjustments in the UCS keycloak have no effect on UCS operation, only settings for OpenTalk are added.

Nevertheless, the UCS Keycloak configuration should always be exported and saved first, see Keycloak documentation: https://www.keycloak.org/server/importExport.

Overview of the additional settings

The following settings per category must be added for OpenTalk, assuming a standard UCS Keycloak installation:

Clients

  • OtFrontend
  • OtBackend
  • Recorder
  • Obelisk

Realm roles

  • opentalk-call-in
  • opentalk-recorder

Users

  • service-account-otbackend
  • service-account-recorder
  • service-account-obelisk

Preparation

Download the client and user profiles, go to: https://gitlab.opencode.de/opentalk/ot-setup/-/blob/main/lite/data/kc_data/import/

Customize variables

Variables are present in the JSON files and must be adjusted before importing:

  • ${KC_DOMAIN} corresponds to the external OpenTalk domain, e.g. ucs-integration.opentalk.eu
  • ${KC_CLIENT_SECRET} corresponds to the secret shared with the external OpenTalk installation, which must be coordinated with the OpenTalk provider, e.g. ooleic2aewai5chiC9jae6iu
  • ${KC_REALM_NAME} must correspond to the UCS realm in the Keycloak installation, e.g. UCS integration

Creation of the clients

The following profiles are required (all from https://gitlab.opencode.de/opentalk/ot-setup/-/blob/main/lite/data/kc_data/import/):

  • Date-OtFrontend.json
  • Date-OtBackend.json
  • Date-OtRecorder.json
  • Date-OtObelisk.json

Navigate within your UCS Keycloak installation as follows: Realm settings > Action > Partial import

Warning

First select the correct realm in Keycloak, do not edit the master realm in this context. First select the UCS realm.

Now import the clients one after the other. To do this, click on "Browse" and select the previously downloaded and customized profiles for import. A successful import for OtFrontend, is as follows:

UCS import 1
Figure 1: UCS Import 1
UCS import 2
Figure 2: UCS Import 2

Once the four profiles have been successfully imported, you should see the following under Clients in Keycloak:

Keycloak Clients
Figure 3: Keycloak Clients

Creation of the users

The following profile is required:

Navigate within your UCS Keycloak installation as follows: Realm settings > Action > Partial import

Warning

First select the correct realm in Keycloak, do not edit the master realm in this context. First select the UCS realm.

Now import the service users. To do this, click on "Browse" and select the previously downloaded and customized profile for import. A successful import for OtUsers, is as follows:

Keycloak Service User
Figure 4: Keycloak Service User

Control of the realm roles

Navigate within your UCS Keycloak installation as follows: Realm roles

Warning

First select the correct realm in Keycloak, do not edit the master realm in this context. First select the UCS realm.

The following entries should at least be present in the UCS keycloak:

Keycloak Realm Roles
Figure 5: Keycloak Realm Roles

Relevant variables for the OpenTalk service provider

The following variables must be coordinated with the OpenTalk service provider and kept in sync:

  • UCS-Keycloak Base URL, e.g. https://ucs.integration.de/
  • UCS-Keycloak URL zur Authentifizeirung, e.g. https://ucs.integration.de/auth
  • UCS-Keycloak OIDC Issuer, e.g. https://ucs.integration.de/auth/realms/ucs-integration/
  • UCS-Keycloak Client Secret, e.g. ooleic2aewai5chiC9jae6iu
  • UCS-Keycloak Obelisk Secret, e.g. TY8vgc|j.J>rAqGFr*PQ4RT<$2@PrN