- Keycloak has been installed with this docker image: gitregistry.knut.univention.de/univention/components/keycloak-app:branch-jbremer-appauthorization
- The UMC has been adjusted to use Keycloak
- An App (Nextcloud?) has been adjusted to use Keycloak
Go to the Keycloak admin console. Go to Authentication
Click on the option on the flow browser. Duplicate it.
Now the ugly part: You have to basically copy everything on this flow. Everything that is part of the default flow needs to be in its own subflow. I called it "Normal login". The new Univention App Authenticator needs to be required, and on the same level as the rest of the flow.
In the Keycloak admin console go to Clients.
Click on the UMC client. Go to Advanced. On the bottom there is the field
Authentication flow overrides. Set it to the new flow.
Go to User federation. Select the ldap-federation. Go to Mappers.
Click on new mapper and select the mapper type group-ldap-mapper.
Configure it in the following way:
There is a Action field on the top right. Select Sync LDAP groups to Keycloak
to sync them all immediately.
In the Keycloak admin console go to Clients.
Click on your client and go to Roles.
Click on Create role and enter the name univentionClientAccess.
Go to Groups. Click on the desired group and select Role mapping.
Click Assign role. Filter by client roles.
Then select the client role.