Next steps after the camunda-showcase-keycloak

Gbaruzzi · February 28, 2024, 12:00pm

Dear all,
I was able to start on my system the camunda-showcase-keycloak of @VonDerBeck. (Thank you!).

My PoC requires now that I can manage all the roles for a user Inside Keycloak, but I CANNOT manage any group.

I had a look to the interesting work of iceman91176 and to the linkedin article Integrating Camunda with Keycloak for Enhanced Access Control.

Would it be possible to have an integration of the work of Iceman91176 and of VonDerBeck ?
In which direction should I look to implement my need?

thank you for your ideas and suggestions
Giovanni

VonDerBeck · March 1, 2024, 7:41am

Hi Giovanni,

for using roles instead of groups - if I were you I would do the following:

Think if you really need users and groups/roles show up in Camunda Admin
Leave Camunda Identity Provider as is and use SSO only
To summarize: follow the steps of the article you mentioned

Why? Because the Keycloak Identity Provider plugin under the hood uses Keycloak’s Administration REST API. Keycloak of course provides a performant way to get all roles (whether direct or indirect!) of a user. That is what it is build for. But not the other way around - we will miss all indirect users that have a specified role name e.g. due to their group membership and so on. Even worse: there are not even any filter criteria to reduce the result list. So this does not match the use cases of the Identity Provider API and is therefore deliberately left out.

Gunnar

Gbaruzzi · March 1, 2024, 8:08am

Thank you VonDerBeck,

No, I don’t need any Camunda Admin, I need a few administrators for Camunda and that the user are able to interact with the processes.
Is the Camund Identity Provider really able to manage the Admins? THis would be enoucght for me.
Which articole do you mean? The one of iceman91176?

You wrote: “the Keycloak Identity Provider plugin under the hood uses Keycloak’s Administration REST API”:
This is a very important information and I think that this should be inserted in the README.

Thank you again for your precious work,
Giovanni

VonDerBeck · March 1, 2024, 8:15am

To clarify: the Camunda Keycloak Identity Provider is a ReadOnly Identity Provider - it does in no way provide the ability to modify users and groups in Keycloak!

Gbaruzzi · March 1, 2024, 9:51am

Hallo VonDerBeck,
Please clarify which article should I follow. Your Showcase or the iceman91176 ?
Thank you,
Giovanni

P.S.
I thick taht yu shoud add the following sentence to the README of the Keycloak Identity Provider Plugin:
“the Keycloak Identity Provider plugin under the hood uses Keycloak’s Administration REST API and accesses the user management in a READONLY way: - it does in no way provide the ability to modify users and groups in Keycloak”

VonDerBeck · March 1, 2024, 9:58am

@Gbaruzzi in short:

Your link: Integrating Camunda with Keycloak for Enhanced Access Control
The documentation of the plugin already states “This plugin provides the basis for using Keycloak as Identity Management solution and will provide a ReadOnlyIdentityProvider.”

system · May 30, 2024, 9:59am

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.