Howto:Univention Corporate Server (UCS) - Univention GmbH - 3rd Party Product

From innovaphone wiki
Jump to navigation Jump to search
File:CompanyLogo.png

Product Name

Univention GmbH Univention Corporate Server (UCS)

Certification Status

Category

Vendor

Univention is a provider of open-source solutions for identity and access management (IAM) and the integration of IT applications.

Description

Univention Corporate Server (UCS) is an open integration platform that, together with Univention Nubus, provides centralized identity and access management with a web portal for easy access to applications and enables the management of heterogeneous IT domains through comprehensive Active Directory functionality.

Functions

  • Portal with single sign-on
  • Integrated identity and access management
  • Packaged integrations
  • App Center with enterprise applications
  • Active Directory integration
  • Platform for the entire IT infrastructure
  • Deployment on-premises, in the cloud, or hybrid

Version

Product versions used for interop testing:

  • UCS 5.2
  • innovaphone V12r2sr24

Configuration

LDAP Integration of UCS with the innovaphone Environment including SSO via Keycloak

This article describes how an LDAP integration between Univention Corporate Server (UCS) and an innovaphone PBX environment can be implemented.

The configuration shown below has been successfully tested and demonstrates how user accounts from UCS can be synchronized into the innovaphone environment using LDAP replication.

In addition, the article explains how telephony features can be accessed via Single Sign-On (SSO) using Keycloak as an identity provider.

The following step-by-step guide outlines the complete setup process. Each step is supported by corresponding screenshots.

Step-by-Step Guide

Creating an LDAP Service Account for Replication

First, a dedicated user account is created in UCS that will be used exclusively for accessing the LDAP directory during the replication process.

This account allows the innovaphone system to retrieve the required user information from the UCS LDAP directory. In this example, the username “ldapread” is used.

The account only requires read permissions for the LDAP directory, so no elevated privileges are necessary.

(Screenshot: Create user for LDAP replication)

Creating a Sample User in UCS

In the next step, a regular user account is created in the UCS system. This user will later be replicated to the innovaphone environment via LDAP.

For demonstration purposes, the example user Max Muster is created.

(Screenshot: Create user)

Assigning a Phone Number to the User

To enable telephony functionality for the user within the innovaphone environment, a phone number (extension) must be assigned in UCS.

In this example, the user is assigned the extension 100.

This information is stored in the LDAP directory and can later be imported and mapped within the innovaphone environment.

(Screenshot: Edit user)

Verifying LDAP Attributes

The configured LDAP attributes in UCS can be inspected using the LDAP administration interface (LDAPAdmin).

This interface allows administrators to review all available LDAP attributes associated with a user account. These attributes are later accessed and processed by the innovaphone LDAP replicator.

This view is particularly useful for identifying which attributes should be used for mapping between LDAP source attributes and innovaphone target attributes.

(Screenshot: User overview in LDAPAdmin)

Configuring the LDAP Replicator in the innovaphone Environment

Next, the LDAP replicator is configured within the innovaphone environment.

The following parameters must be defined:

  • Connection to the UCS LDAP server
  • Authentication using the previously created service account “ldapread”
  • Definition of the LDAP search base
  • Configuration of the attribute mapping between LDAP source attributes and innovaphone target attributes

This mapping ensures that information such as:

  • Username
  • Phone number
  • Display name

is correctly transferred from the UCS LDAP directory to the corresponding attributes in the innovaphone platform.

(Screenshot: LDAP overview)


(Screenshot: innovaphone LDAP replicator)

Synchronization and Provisioning of the User Account

After the LDAP replicator has been configured successfully, user data from the UCS LDAP directory is synchronized with the innovaphone environment.

During this process, the previously created user Max Muster is automatically provisioned as a user account within the innovaphone platform.

Once the synchronization is complete, the user becomes available for telephony services within the PBX system.

(Screenshot: User account in the innovaphone environment)

Configuring Single Sign-On (SSO) via Keycloak

Finally, Keycloak is integrated as the identity provider to enable Single Sign-On (SSO).

The configuration is performed according to the official innovaphone documentation:

https://wiki.innovaphone.com/index.php?title=Howto14r1:Single_Sign_On_-_oAuth_Login_with_KeyCloak#Steps_in_innovaphone_PBX

Keycloak is configured to use the identities managed in UCS and provides authentication services for the innovaphone environment.

With this setup, users can authenticate once via Keycloak and then seamlessly access the innovaphone platform and its telephony features.

User identities and related attributes are automatically provisioned from UCS, allowing them to be used for authentication and authorization within the SSO workflow.

As a result, telephony services via Single Sign-On are fully configured and ready for use.

Contact

Univention GmbH
Mary-Somerville-Str. 1
28359 Bremen
Tel: +49 (0)421 22232-0
Web: https://www.univention.com/
Mail: info@univention.de
Retrieved from "https://wiki.innovaphone.com/index.php?title=Howto:Univention_Corporate_Server_(UCS)_-_Univention_GmbH_-_3rd_Party_Product&oldid=79034"