Integration: Univention UCS
The following describes how to use UCS (Univention Corporate Server) from version 5.2 as an identity provider for an external OpenTalk installation. The necessary adjustments in the UCS keycloak have no effect on UCS operation, only settings for OpenTalk are added.
Nevertheless, the UCS Keycloak configuration should always be exported and saved first, see Keycloak documentation: https://www.keycloak.org/server/importExport
Overview of the additional settings
The following settings per category must be added for OpenTalk, assuming a standard UCS Keycloak installation:
Clients
-
OtFrontend
-
OtBackend
-
Recorder
-
Obelisk
Realm roles
-
opentalk-call-in
-
opentalk-recorder
Users
-
service-account-otbackend
-
service-account-recorder
-
service-account-obelisk
Preparation
Download the client and user profiles, go to: https://gitlab.opencode.de/opentalk/ot-setup/-/blob/main/lite/data/kc_data/import/
Customize variables:
Variables are present in the JSON files and must be adjusted before importing:
${KC_DOMAIN}corresponds to the external OpenTalk domain, e.g. ucs-integration.opentalk.eu${KC_CLIENT_SECRET}corresponds to the secret shared with the external OpenTalk installation, which must be coordinated with the OpenTalk provider, e.g. ooleic2aewai5chiC9jae6iu${KC_REALM_NAME}must correspond to the UCS realm in the Keycloak installation, e.g. UCS integration
Creation of the clients
The following profiles are required (all from https://gitlab.opencode.de/opentalk/ot-setup/-/blob/main/lite/data/kc_data/import/):
-
Date-OtFrontend.json
-
Date-OtBackend.json
-
Date-OtRecorder.json
-
Date-OtObelisk.json
Navigate within your UCS Keycloak installation as follows: Realm settings > Action > Partial import
Attention: First select the correct realm in Keycloak, do not edit the master realm in this context. First select the UCS realm.
Now import the clients one after the other. To do this, click on "Browse" and select the previously downloaded and customized profiles for import. A successful import for OtFrontend,
is as follows:
Once the four profiles have been successfully imported, you should see the following under Clients in Keycloak:
Creation of the users
The following profile is required:
- https://gitlab.opencode.de/opentalk/ot-setup/-/blob/main/lite/data/kc_data/import/ File:Date-OtUsers.json
Navigate within your UCS Keycloak installation as follows: Realm settings > Action > Partial import
Attention: First select the correct realm in Keycloak, do not edit the master realm in this context. First select the UCS realm.
Now import the service users. To do this, click on "Browse" and select the previously downloaded and customized profile for import. A successful import for OtUsers,
is as follows:
Control of the realm roles
Navigate within your UCS Keycloak installation as follows: Realm roles
Attention: First select the correct realm in Keycloak, do not edit the master realm in this context. First select the UCS realm.
The following entries should at least be present in the UCS keycloak:
Relevant variables for the OpenTalk service provider
The following variables must be coordinated with the OpenTalk service provider and kept in sync:
- UCS-Keycloak-Base-URL, z. B. https://ucs.integration.de/
- UCS-Keycloak-URL zur Authentifizeirung, z. b. https://ucs.integration.de/auth
- UCS-Keycloak OIDC-Issuer, z. B. https://ucs.integration.de/auth/realms/ucs-integration/
- UCS-Keycloak Client-Secret, z. B.
ooleic2aewai5chiC9jae6iu - UCS-Keycloak Obelisk-Secret, z. B.
TY8vgc|j.J>rAqGFr*PQ4RT<$2@PrN