In his presentation in the technology track of the Univention Summit 2024, Ingo Steuwer from Univention's product management team will show how Univention is currently migrating its core services for centralized identity and access management and the user portal to Kubernetes and explain the motivation behind this transition. He explains how Kubernetes makes it possible to combine the advantages of large data center environments with Univention's solutions, making Kubernetes the de facto standard for secure IT environments. In his presentation, Ingo Steuwer will also discuss the architecture, the range of functions and the current status of the first version based on Kubernetes provided as part of openDesk on Open CoDE.

1. Univention IAM and Portal for
Kubernetes
Ingo Steuwer, Univention GmbH

2. Why containers?
» Kubernetes becomes de-facto standard in larger datacenters
» Deutsche Verwaltungscloud-Strategie (DVS)
» Includes: Kubernetes is a must
» Includes: BSI „base security“ („BSI IT Grundschutz“) –
Containers will allow a higher degree of fullfillment / higher
security levels than UCS
» Good technical reasons: automation, scalability, separation of
concern, ...
Image sources:
https://en.m.wikipedia.org/wiki/File:Kubernetes_logo_without_workmark.svg
https://www.it-planungsrat.de/
https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/Kompendium/IT_Grundschutz_Kompendium_Edition2023.html

3. Univention objectives
» Bring „core Univention functionality“ to Kubernetes
» Identity and Access Management
» Manage identities, rights and related information (UDM, LDAP)
» Single Sign-On (Keycloak)
» Integrations: Provisioning-Backend, Connectors, Integrations
» Portal & Self Service
» Easy access to IT Services and own data for end users
» Share as much as possible with Univention Corporate Server (UCS)
» One codebase, two alternative deployments
» Allow migrations from UCS and combinations with UCS instances
» OSI compliant Open Source Software

4. Approach: „separation of concerns“ - „divide and conquer“
1) Identify the needed functionality
2) Separation of concerns: group functionality in „blocks“
3) Divide and conquer: individual development of each functional block
midterm objective:
each functional block becomes a dedicated software project: own lifecycle, fixed APIs, ...

5. Functional blocks
Identity Store and Directory Service
(OpenLDAP)
Identity Provider
(Keycloak)
Directory Manager
(UDM)
Management UI
(UMC)
Interconnect Service
(Authentication Reverse Proxy)
Provisioning Service
(Event Queue)
Authorization Service
(Open Policy Agent)
End User Self Service
(Univention Self Service)
End User Portal
(Univention Portal)

6. Envision a product – Univention Nubus
Univention Nubus is the enterprise grade open source
software solution for integrated identity and access
management to connect and combine applications to an
end user friendly offering.
http://nubus.io/

7. Are you „Nubus“ or „UCS“ ?
» Kubernetes deployment
» Demand for scalability and automation
» Mix of standard and individual IAM
integrations & configuration
» DevSecOps teams with deep insight to
deployment, configuration and software
architecture
» Virtual Machine or Hardware deployment
» Demand for preconfiguration or interactive
deployments
» Standard integrations with easy installation
from Univention App Center
» Administration teams with broad expertise
which need to cover all day to day tasks

8. Nubus & UCS - same codebase
Image Source: https://icon-icons.com/icon/source-repository/135163
Feature Development Product Releases
3rd
Party
Integrations
Functional Blocks

9. Provisioning backend – the only rewrite
» Objective of the provsioning backend:
Queue „events“ (i.e. „user has been created“) to give
integrations the opportunity to react on them.
» Example: Inform a connected service if a user object has been modified.
» In UCS, Event-Handling ist done by OpenLDAP Notifier Listener
→ →
» Analysis: Notifier/Listener concepts are bound to a virtual machine, the needed changes for a move
into containers would result in a rewrite.
Decision: re-build from scratch based on http://www.nats.io

10. Concept new provisioning backend
Directory Manager
(UDM)
Provisioning Service
(Event Queue)
Authorization Service
(Open Policy Agent)
Involved services
Identity Provider
(Keycloak)
UDM REST API
Notification
REST API
Other Services MOM
processing
MOM
Backend
nats.io
Consumer
REST API
Registration
REST API
Prefill
Service
Open-Xchange
Consumer
Portal
Consumer
Send
Events
Send
Events
Register
consumer
...
Other
Consumer
Consumers register
themselves on
deployment
Backend holds one queue for
each consumer
Prefill allows new
consumers to catch up
with events
Access to provisioning APIs needs
authentication (with Keycloak as IDP) and
authorization (based on OPA)
Dovecot
Consumer
Event-sources Event-handling Event-consumer
Each Consumer is a dedicated
Kubernetes Pod (Container /
Service)

11. What happend in 2023
» Iterative approach – try to keep a functioning stack
» I. phase: Detachment of a first „functional block“ (finished in Q1/23)
» PoC: Portal – splitted in several containers, deployment together with a full UCS instance
» II. phase: Dev-Env without virtual machine (finished mid of 2023)
» All functional blocks run in one or several containers
» III. phase: Kubernetes deployment & functional completeness for „openDesk“ (finished Q4/2023)
» All functionality and integrations needed for openDesk are available
https://gitlab.opencode.de/bmi/opendesk
» All containers are deployed on Kubernetes as part
of an automated openDesk HELM deployment
» Disclaimer: Restrictions / workarounds still in place,
not for productive use

12. Current status – what’s included?
» All functional blocks available
» Separation into containers, communication moved into APIs
» Full functionality including integrations needed for OpenDesk
» Shared code, containers and binaries with UCS
» For example Keycloak container in UCS has seen improvements based on nubus implementations
» Review based on BSI Base Security („Grundschutz“) with high level of fullfillment
» Example: Standardized and reduced container images (based on „Debian Slim“ image builds)
» Core of new Provisioning backend is implemented (but not yet in use)
» Provisioning Workaround based on Listener/Notifier in place
» New Authorization Framework provided as part of the „Rights and Roles“ project (but not yet in use)
» „Guardian“, based on OPA https://www.openpolicyagent.org/

14. Features of Nubus, which are not (yet) in UCS
» New provisioning backend
» Not yet decided if/how to be integrated in UCS
» „Brute force detection“ for Keycloak
» Objectives:
» Inform end users about logins from new devices
» (Temporary) block devices or accounts with suspicous activities (too many failed logins)
» Companion containers for a Keycloak deployment, will be ported to UCS
» Notification API of the Portal
» Objective: process information from Services and inform end users in the portal
» Currently no integration finished, port to UCS after initial integrations available

15. Current status – what’s needed for a first release?
» Finish new provisioning backend & integrations
» Full „maintainability“ – close gaps in test coverage and the release process
» Provide standard deployments (independent from openDesk)
» Address last findings from BSI base security review
» Documentation

16. Next steps – expected in 2024
» Finish open tasks for first production usage
» First stable releases will be focused on individual projects
» Continue work in openDesk
» First releases focused on integration partners,
first partner: Dataport / Phoenix
» Availability as enterprise product
» Will offer more flexible integration modules and APIs
» Migration from existing UCS deployments to Univention Nubus

17. Outlook: Migration & Integration with UCS
» Migration from existing UCS instances
» Tooling to migrate data and configuration from UCS to Univention Nubus
» Expectation: Nubus will replace Primary and Backup UCS Nodes in one downtime
» Co-Existance
» Scenarios: Univention Nubus as leading IAM in a Datacenter,
UCS instances as „satelites“
» Example: UCS instances in schools
» Idea: Univention Nubus emulates standard
services of a UCS Primary Node
→ no timeline yet

18. Feedback welcome!
Univention Nubus is in an early stage – best time to give feedback!
» Test it with openDesk: https://gitlab.opencode.de/bmi/opendesk
» Univention Nubus fits into your project? Get in touch with me!
» Use UCS to get started with Univention IAM and Portal functionality

19. VIELEN DANK!
Ingo Steuwer
Univention GmbH
steuwer@univention.de