Integration of camunda with keycloak SSO

Hi @VonDerBeck,
Thank you sooo… much @VonDerBeck for your precious time and your help. It worked !! Thanks alot…

2 Likes

Hi @VonDerBeck ,
After redirect of the url to camunda when i log in as keycloak / keycloak1! it redirects me to the camuda page but in camunda page i can’t see the task tab as keycloak user is a admin user.

1 Like

Also every time i need to clear cache and sometimes it does’nt open in incognito mode

Hi @Tanmay_Naik,

very interesting - you’re using the Keycloak internal administrator as Camunda Admin as well. Personally I very much like to separate concerns.

Are you aware that

  • you have set the pluging option useEmailAsCamundaUserId to true?
  • that the Keycloak internal administrator does not have an email address? And thus is not a valid camunda user and has no rights?

For a production like setup I would recommend to

  • not use the master realm but setup your own security realm.
  • within that realm create the camunda admin group
  • assign a dedicated admin user of this new realm to the camunda admin group
  • adapt all Keycloak URLs according to the new realm

In case you want to just play around a little bit you have the following options. Either

  • switch to using the plugin option useUsernameAsCamundaUserId (keep in mind that this requires a change in the KeycloakAuthenticationProvider when extracting the userId)
  • or create your own Camunda Admin User
  • or add an email to the original Keycloak admin user in case you really want to keep using this user as camunda admin as well (which, in my opinion, would mix up things)

yes in application.yaml file i am using

useUsernameAsCamundaUserId=true

Hi @VonDerBeck,
Can we have a call ? Like GoToMeeting call

Hi @Tanmay_Naik,

sadly I’m running out of time today. If you want to have a look at a prepared test setup for Keycloak matching the original showcase configuration use the following docker image:

image: gunnaraccso/keycloak.server:5.0.0

It has a prepared configuration with Camunda Client, Groups, User etc.

1 Like

Hi @VonDerBeck ,
i have taken pull of your image , and run it on docker .
I have this in my yaml file

plugin.identity.keycloak:
keycloakIssuerUrl: ${keycloak.url.plugin}/auth/realms/master
keycloakAdminUrl: ${keycloak.url.plugin}/auth/admin/realms/master
clientId: camunda-identity-service
clientSecret: 7d3c845d-f652-4bed-9797-d6d20b7623da
useEmailAsCamundaUserId: true
useUsernameAsCamundaUserId: false
administratorGroupName: camunda-admin
disableSSLCertificateValidation: true

After running this camunda page after redirect is not visible shows 401 unauthorized

Hi @Tanmay_Naik

HTTP 401 is “unauthorized”.

  • Please be aware that, once logged in, SSO stores and keeps your session. So in order to check if SSO is working you must e.g. not have logged in into Keycloak with the Keylcoak admin and try to use the same browser to login into Camunda using another user. Always try to start with a fresh clean browser. An easy way to do this is to use the “new private window” / “new incognito window” functionality of your browser.
  • The next thing to be aware of is that you have a configuration for the identity plugin (plugin.identity.keycloak) and another configuration for the SSO OAuth2 Client part of Spring (security.oauth2).
  • Hint: the plugin will work without the OAuth2 SSO part as well, you will then have to use the Camunda Login Page, behind the scenes you will get authenticated against Keycloak. This approach will allow you to login / logout into Camunda just like you are used to when using Camunda standalone.

In case there are any questions left please have a look at the Spring Boot OAuth2 documentation(e.g. https://spring.io/guides/tutorials/spring-boot-oauth2/, https://www.baeldung.com/sso-spring-security-oauth2). The only Camunda specific part can be found within the OAuth2 KeycloakAuthenticationProvider when it comes to extracting the userId and querying for the corresponding groups. All the rest of the setup is Spring Security / OAuth2 standard.

Kind regards
Gunnar

Ohh!!! Cool . @VonDerBeck I have question . Question is that when i use this url http://localhost:8080/engine-rest/user it doest’nt give me list of users

Hi @Tanmay_Naik,

sadly the REST-API hasn’t been configured so far in the sample project. It’s on the TODO list.

Some hints:

I still have to deal with the details myself, but it shouldn’t be too difficult.

Regards
Gunnar

1 Like

Hi @VonDerBeck ,
In project of camunda-showcase-keycloak we are configuring client-id hardcoded , secret-key as hardcoaded , Is there anyway to get this dynamic

Hi @Tanmay_Naik,

these parameters are configurable in application.yaml.

  • this means that you have all mechanisms from Spring Boot at hand - including the configuration of such parameters using environment variables. For an example see parameters KEYCLOAK_URL_xxx etc.
  • as a consequence it’s configurable using e.g. standard Kubernetes features like secrets, configmap, …

Just change the example according to your own needs. The provided example setup shows the main wiring and main aspects, it does not cover all production aspects.

Regards
Gunnar

Hi @VonDerBeck , I am not able to create Tenants in camunda , as well as i am not able see the tab add Tenants under admin panel

Hi @VonDerBeck, So i created Tenant from code got this error

I have gone through the java doc where it says that identity service implementation provides read-only access to the user repository, false otherwise

So Through camunda UI I was not able to see create Tenant button .

So would i enable this tab of Tenants

@VonDerBeck
see the yaml file too

i am login in with user which is a admin user created in keycloak and have all the access

Hi @Tanmay_Naik,

one of the current limitations of the Keycloak Identity Provider is, that tenants are currently not yet supported. See documentation of the plugin.

And please be aware, that this is a ReadOnly Identity Provider, which means you are not allowed to create users, groups, etc. using the Camunda admin frontend.

Cheers
Gunnar

Hi @VonDerBeck so if we want WriteOnly Indentity Provider then is there any way ?

Hi @Tanmay_Naik,

the question is not if there is a way.

You either want to manage your groups & users within your application and stick with the integrated original identity service or you want to manage groups & users outside your applications in some kind of external identity system like LDAP, Keycloak, Auth0, … The latter approach means that Camunda is only reading groups & users.

Writing from Camunda to Keycloak is a really bad idea and I would neither support nor recommend to do such things.

Cheers
Gunnar

2 Likes

Hi @VonDerBeck ,
yes i wanted to manage groups & users outside our application with external identity system ie for keycloak . Thanks got my answer , i will follow as you said. :slight_smile: