Hi everyone,
today we have successfully connected our company Keycloak via SAML to the C8 SaaS environment.
So I hoped, that I can use now (almost) the same functions like in C7 Communtiy (embedded in Spring applications).
In C7 we have setup a LdapIdentityProviderPlugin object with access to our company LDAP. So it was possible for us to use our “user LDAP credentials” for the login to the Camunda 7 WebApps.
Because of the LDAP connection C7 is able to get the groups of each user. Therefor we setup the groupSearchFilter property of the LdapIdentityProviderPlugin.
Now I have the following case:
The user johndoe@mycompany.com is a member of the group “theUnknownGroup”.
The running process instances have tasks for:
- Task 1: candidateUser=johndoe@mycompany.com
- Task 2: candidateUser=janedoe@mycompany.com
- Task 3: candidateGroup=theUnknownGroup
For our internal inbox application, I use the the following REST-API URL against every C7 engine to get the tasks for johndoe@mycompany.com:
https://myapplication.com/engine-rest/task?candidateUser=johndoe@mycompany.com
With this REST call, the result contains two tasks:
- Task 1 (candidateUser)
- Task 3 (candidateGroup)
So, the REST engine (I guess) is using the LDAP connection to get all members of the group “theUnknownGroup” and so it knows that johndoe@mycompany.com is a member of this group and returns the task in my request, too.
Great. That’s what I want in C8, too.
Because of the SAML connection in C8, it is possible to login to (for example) the console with the same credentials like in C7. Fine
But in C8 (with a SAML connection to my Keycloak where the userfederation is configured against the same LDAP like my C7 configuration) when I do the following REST call, I just get the tasks, where the “candidateUser” is the same, but not the tasks with “candidateGroups”, where the user is a member of.
curl --location --request POST 'https://<region>.camunda.io/<clusterId>/v1/tasks/search' \
--header 'Authorization: Bearer <myBearerToken> \
--header 'Content-Type: application/json' \
--data-raw '{
"candidateUser": "johndoe@mycompany.com"
}'
So instead of doing one request against the API and get all relevant tasks, I guess I need to do the following:
Variant 1:
I do a request with candidateGroup for every group the user is a member of
Variant 2:
I get all Tasks, check the candidateGroup value and check against my LDAP if the user is a member of theses groups or not.
Is there a chance to get the same function like in C7 in C8, too?
Kind regards,
Rainer