Getting candidateUser and candidateGroup tasks like in C7 REST API

Hi everyone,

today we have successfully connected our company Keycloak via SAML to the C8 SaaS environment.

So I hoped, that I can use now (almost) the same functions like in C7 Communtiy (embedded in Spring applications).

In C7 we have setup a LdapIdentityProviderPlugin object with access to our company LDAP. So it was possible for us to use our “user LDAP credentials” for the login to the Camunda 7 WebApps.

Because of the LDAP connection C7 is able to get the groups of each user. Therefor we setup the groupSearchFilter property of the LdapIdentityProviderPlugin.

Now I have the following case:

The user johndoe@mycompany.com is a member of the group “theUnknownGroup”.
The running process instances have tasks for:

For our internal inbox application, I use the the following REST-API URL against every C7 engine to get the tasks for johndoe@mycompany.com:

https://myapplication.com/engine-rest/task?candidateUser=johndoe@mycompany.com

With this REST call, the result contains two tasks:

  1. Task 1 (candidateUser)
  2. Task 3 (candidateGroup)

So, the REST engine (I guess) is using the LDAP connection to get all members of the group “theUnknownGroup” and so it knows that johndoe@mycompany.com is a member of this group and returns the task in my request, too.

Great. That’s what I want in C8, too.

Because of the SAML connection in C8, it is possible to login to (for example) the console with the same credentials like in C7. Fine :slight_smile:

But in C8 (with a SAML connection to my Keycloak where the userfederation is configured against the same LDAP like my C7 configuration) when I do the following REST call, I just get the tasks, where the “candidateUser” is the same, but not the tasks with “candidateGroups”, where the user is a member of.

curl --location --request POST 'https://<region>.camunda.io/<clusterId>/v1/tasks/search' \
--header 'Authorization: Bearer <myBearerToken> \
--header 'Content-Type: application/json' \
--data-raw '{
"candidateUser": "johndoe@mycompany.com"
}'

So instead of doing one request against the API and get all relevant tasks, I guess I need to do the following:

Variant 1:
I do a request with candidateGroup for every group the user is a member of

Variant 2:
I get all Tasks, check the candidateGroup value and check against my LDAP if the user is a member of theses groups or not.

Is there a chance to get the same function like in C7 in C8, too?

Kind regards,

Rainer

Hey @Rainer78 welcome to the forums! What version of Camunda 8 are you using in your setup environment?

Kind regards,
Panos

Hi Panos,

all of our C8 clusters are running “Camunda 8.5+gen9”

Kind regards,

Rainer

Hi @Rainer78, currently the search API does not take into account this scenario since you would not be able to distinguish candidateGroups and candidateUsers respectively from the requests. You could create a Feature Request over the repository so as to be further evaluated and discussed over.

Kind regards,
Panos

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.