I am facing issue with this repository , Please help me to look how the following steps will be carried out https://github.com/camunda-consulting/code/tree/master/snippets/springboot-security-sso
Please help with the integration of camunda with keycloak integration SSO
Hi Niall . I have tried with this too . But in this project VonDerBeck camunda-identity-keycloak jar is not in maven repository and not available on google to
the project will be available in a public maven repo in future. As it is based on a standard Maven build, try to check out and build this project locally. This should be a good interim solution.
Hi VonDerBeck ,
Building the project locally leads to the no manifest file attribute . I want to know that how will this project runs which will integrate SSO of camunda with keycloak . How will the project jar will be added to the server so that the internal code will be called.
Please help as it is not mentioned in ReadMe.md file .Next i have checked with the keycloak-showcase-master repository where the jar cannot be build . Please help
can you be more specific what your exact errors are?
1.) The plugin itself is in repository https://github.com/VonDerBeck/camunda-identity-keycloak and requires simply JDK 8 and Maven. It is not executable but a library. It can be integrated in your Camunda project in the same way like the LDAP Identity Provider. See project documentation for the setup.
2.) The showcase including the full SSO setup resides in repository https://github.com/VonDerBeck/camunda-showcase-keycloak . In order to make the build process work you should have the above plugin itself compiled and available - at least in your local maven repository.
If this doesn’t work out for you, there is a solution in sight:
the plugin may be available on Maven Central until the end of the month
furthermore it will be upgraded to work with Camunda 7.11
the showcase will be updated to the new versions (Camunda 7.11, Spring Boot 2.1.5.RELEASE) as well
the showcase will only require public repos for your dependencies
Next Step i am not able to understand in the document what will be the next step . Where will i put this whole project or the jar which is created in the target folder in the camunda server
please help us step by step what will the next process after the point 3 .
what you have now is the IdentityProvider available in your local maven repo. Your next steps depend on your runtime environment. Are you using Spring Boot or JEE/Wildfly?
When using Spring Boot you have to:
add the dependency to your Camunda Spring Boot Project
add a KeycloakIdentityProvider component to your project in order to activate the plugin (see documentation)
prepare your Keycloak server as documented (create client camunda-identity-service in your realm)
configure the adpater as documented (plugin.identity.keycloak section in application.yaml)
Afterwards the Camunda Identity Service connects to the Keycloak server. But you will still have to login using the camunda login screen.
SSO is the next level. It follows standard Spring OAuth2 Security. You will additionally have to
add spring-boot-starter-security and spring-security-oauth2-autoconfigure dependencies
add KeycloakAuthenticationProvider and your own WebAppSecurityConfig
configure Spring Security security.oauth2 section in your application.yaml
The SSO steps are documented as well. The only Camunda specific code can be found in KeycloakAuthenticationProvider taking care of extracting the authenticated user and querying the corresponding groups using the Identity Provider.
An example can be found within the showcase project.
please check your application.yaml URLs and Ports.
It might be important that in order to use Spring Security SSO OAuth2 using https you’ll need a valid SSL certificate on your Keycloak server. This might be a bit exaggerated for a local development environment. When running in cloud environments SSL is very often handled by the load balancer in front etc.
The Keycloak Identity Provider Plugin itself has an option to disable SSL certificate validation. But this is apart from Spring Security SSO, it effects the connection from Camunda Identity Service to Keycloak only. Keycloak generates a self signed certificate upon startup where Spring Security might complain about. So what does this all mean?
Within your locally running Keycloak Docker image enable the HTTP Port as well (see documentation of the Showcase), e.g.
ports:
- "9001:8443"
- "9000:8080"
Check and adapt the security.oauth2 URLs accordingly. The Showcase has been prepared correctly.
When using the Showcase as is you have to login using the email address as username. Check that “login with email” has been enabled within your Keycloak realm settings as well.
This might help you to get it up and running on your local machine. Which is especially helpful for development. Keep in mind, that for production it is not recommended to use plain HTTP.
If this does not help, please examine the log of your Camunda Spring Boot application. What you have provided might not be the real cause and there will very likely be more error messages in the stacktrace or before.
So this causes the error. The docu says that you must not do this and the admin-user part must be deleted. It is a hint for users starting with a standard Camunda Spring Boot configuration.