Keycloak Camunda Identity Provider Plugin doesn't redirect to Keycloak login form

Hi everyone!
I want to install Keycloak Camunda Identity Provider Plugin on Camunda in docker image built from camunda/camunda-bpm-platform:7.17.0.

I was guided by Installation on Tomcat guide on the plugin’s github page: camunda-bpm-identity-keycloak/examples/tomcat at master · camunda-community-hub/camunda-bpm-identity-keycloak · GitHub

I add camunda-bpm-identity-keycloak-all-2.2.3.jar (downloaded from releases page) into /camunda/lib/ and bpm-platform.xml into /camunda/conf/ in docker container.

My bpm-platform.xml contains:

            <property name="keycloakIssuerUrl">http://localhost:8081/auth/realms/hydra</property>
            <property name="keycloakAdminUrl">http://localhost:8081/auth/admin/realms/hydra</property>
            <property name="clientId">camunda-identity-service</property>
            <property name="clientSecret">4cc3506c-91fb-41eb-8494-ec55d667c8e0</property>
            <property name="useUsernameAsCamundaUserId">true</property>
            <property name="useGroupPathAsCamundaGroupId">true</property>
            <property name="administratorGroupName">camunda-admin</property>
            <property name="disableSSLCertificateValidation">true</property>

I build and run my container and don’t see any errors. But when I open localhost:8080 (where my Camunda was launched) redirection to Keycloak doesn’t happen and I see only native Camunda’s login/password form. At the same time If I enter to Keycloak like admin I can see a session with my Camunda app.

How to enable login by Keycloak in my case? Maybe I’m doing something wrong?

Thank you in advance!

Hi @theodor ,

Have you read through this post yet? It gives a fairly detailed step-by-step process for using Keycloak as the identity provider for Camunda.

If that doesn’t solve your issue, please let me know and I can try to help out some more. I’ve worked a fair amount with Keycloak these days. :slight_smile:

Best Regards,

Hi @theodor,

as far as I understand your setup consists of adding the Keycloak community extension to a Tomcat distribution.This means, that you have changed the original identity provider to now work with Keycloak. This is all your setup does. It does not include SSO. If you want to have full SSO, please go to sample provided at camunda-platform-7-keycloak/examples/sso-kubernetes at master · camunda-community-hub/camunda-platform-7-keycloak · GitHub.

Thank you for your response! I saw this example, but it’s for Java Spring Boot distribution. How can I use this example to build my solution for Tomcat distribution?

Thank you for your response! I’ve read this post, but it didn’t help me. Because It’s about Run distribution, but I use Tomcat distribution


SSO with Tomcat is a totally different story… You could have a look at the work of GitHub - iceman91176/camunda-bpm-auth-keycloak-sso - he uses the Keycloak Identity Provider under the hood as well but has worked on the Tomcat stuff.

Hope this helps.

1 Like

I am in the process of developing a similar solution with Tomcat version of Camunda and Siteminder as IDP and SAML as the protocol, I am able to successfully implement it in springboot version of Camunda, but implementing the same in tomcat version of Camunda seems to be challenging, can you point me to a solution which is relatively easier to test develop and modify, as Iceman91176’s solution gets integrated with docker build, it might be difficult for me to develop.

To be quite honest: the days of me messing around with Application Servers and Tomcat Standalone Containers are pretty long gone.
Spring Boot is just much more effective and fits much more easily into a whole range of IT landscapes. After all, it’s all about focusing as effectively as possible on the business side of things.
Long story short: No, I don’t have a simple solution for Standalone Tomcat ready. If you develop something - let the community know :slight_smile: