Great feature release: More security for your opsi environment

Today we are happy to announce a great feature release for opsi 4.3.

Due to the continuing high cyber threat situation and the increasing deployment of opsi instances in public networks, we have been working intensively on the security of opsi components over the past few months.

With this new feature release for opsi 4.3, we are now introducing three new extensions that further strengthen the security of your opsi environment and increase convenience.

This release’s special highlight: Get 20% off the first year of opsi Enterprise until December 20th!

Single Sign-On

The new opsi extension Single Sign-On (SSO) enables the authentication of users via a central identity provider and SAML 2.0. This way, administrators can also log in to opsi with their existing login data. With SSO, you can use the existing user administration of your identity provider. Users and groups do not have to be maintained separately in opsi, which reduces effort and prevents errors. Standardized authentication mechanisms and guidelines not only increase security, but also improve user convenience and productivity, as they only have to log in once.

The SSO extension currently supports Microsoft Entra ID and Keycloak via the SAML 2.0 protocol.

The use of SSO is available in the components opsi-configed, opsi-WebGUI, opsiconfd-Admin-Page and opsi-cli.

Custom Certificate Authority

The opsi CA integrated in every opsi environment is used to automatically generate and update certificates for opsi servers and opsi clients. This automation is convenient and ensures reliable and secure communication between the opsi components. However, a standard browser does not readily trust the opsi CA and displays a certificate warning when accessing the opsi server. This problem can be solved by importing the opsi CA within the organization. This is not feasible or compatible with security requirements in all organizations.

With the new opsi extension Custom Certificate Authority, additional certification authorities (CAs) can be used in the opsi environment. This means that server certificates can also be issued by other CAs. This can be, for example, a certificate authority managed within your organization or a publicly trusted certification authority. Thus, you can use the chains of trust established in your organization when accessing the opsi server. The browsers then accepts the certificate of the opsi server without warning.

Let’s Encrypt

Thanks to the new option of managing additional certification authorities (CAs) in the opsi environment, Let’s Encrypt certificates can now also be used as server certificates. Let’s Encrypt certificates have a short validity and should therefore be maintained through automated processes.

The new opsi extension Let’s Encrypt handles the fully automated administration for you. All certificates are automatically generated, stored, verified and renewed as required. Certificate chains are also stored and renewed automatically. All common browsers trust Let’s Encrypt and accept the opsi server certificates without warning.

Don’t miss out

All new features are now available as extensions in the opsi Enterprise package. As an opsi Enterprise customer, you will therefore receive the new functions together with this release.

Not opsi Enterprise customer yet? Now is the perfect time to sign up:
Until December 20, we are offering a 20% discount on the first year of opsi Enterprise – a one-time opportunity that you should not miss!

By purchasing an opsi license, you’re not just investing in a powerful IT solution for your organization — you’re also contributing to the growth of an open-source project. Of course, this also applies to our professional services such as support, training and update subscriptions. Your support helps us maintain and enhance the free opsi core while driving the development of new extensions that benefit both your IT infrastructure and the wider community. Together, we’re building a more efficient and secure IT future for everyone.

Get a quote now