for using roles instead of groups - if I were you I would do the following:
Think if you really need users and groups/roles show up in Camunda Admin
Leave Camunda Identity Provider as is and use SSO only
To summarize: follow the steps of the article you mentioned
Why? Because the Keycloak Identity Provider plugin under the hood uses Keycloak’s Administration REST API. Keycloak of course provides a performant way to get all roles (whether direct or indirect!) of a user. That is what it is build for. But not the other way around - we will miss all indirect users that have a specified role name e.g. due to their group membership and so on. Even worse: there are not even any filter criteria to reduce the result list. So this does not match the use cases of the Identity Provider API and is therefore deliberately left out.
No, I don’t need any Camunda Admin, I need a few administrators for Camunda and that the user are able to interact with the processes.
Is the Camund Identity Provider really able to manage the Admins? THis would be enoucght for me.
Which articole do you mean? The one of iceman91176?
You wrote: “the Keycloak Identity Provider plugin under the hood uses Keycloak’s Administration REST API”:
This is a very important information and I think that this should be inserted in the README.
To clarify: the Camunda Keycloak Identity Provider is a ReadOnly Identity Provider - it does in no way provide the ability to modify users and groups in Keycloak!
Hallo VonDerBeck,
Please clarify which article should I follow. Your Showcase or the iceman91176 ?
Thank you,
Giovanni
P.S.
I thick taht yu shoud add the following sentence to the README of the Keycloak Identity Provider Plugin:
“the Keycloak Identity Provider plugin under the hood uses Keycloak’s Administration REST API and accesses the user management in a READONLY way: - it does in no way provide the ability to modify users and groups in Keycloak”
The documentation of the plugin already states “This plugin provides the basis for using Keycloak as Identity Management solution and will provide a ReadOnlyIdentityProvider.”