Next steps after the camunda-showcase-keycloak

Dear all,
I was able to start on my system the camunda-showcase-keycloak of @VonDerBeck. (Thank you!).

My PoC requires now that I can manage all the roles for a user Inside Keycloak, but I CANNOT manage any group.

I had a look to the interesting work of iceman91176 and to the linkedin article Integrating Camunda with Keycloak for Enhanced Access Control.

Would it be possible to have an integration of the work of Iceman91176 and of VonDerBeck ?
In which direction should I look to implement my need?

thank you for your ideas and suggestions
Giovanni

Hi Giovanni,

for using roles instead of groups - if I were you I would do the following:

  • Think if you really need users and groups/roles show up in Camunda Admin
  • Leave Camunda Identity Provider as is and use SSO only
  • To summarize: follow the steps of the article you mentioned

Why? Because the Keycloak Identity Provider plugin under the hood uses Keycloak’s Administration REST API. Keycloak of course provides a performant way to get all roles (whether direct or indirect!) of a user. That is what it is build for. But not the other way around - we will miss all indirect users that have a specified role name e.g. due to their group membership and so on. Even worse: there are not even any filter criteria to reduce the result list. So this does not match the use cases of the Identity Provider API and is therefore deliberately left out.

Gunnar

Thank you VonDerBeck,

  1. No, I don’t need any Camunda Admin, I need a few administrators for Camunda and that the user are able to interact with the processes.
  2. Is the Camund Identity Provider really able to manage the Admins? THis would be enoucght for me.
  3. Which articole do you mean? The one of iceman91176?

You wrote: “the Keycloak Identity Provider plugin under the hood uses Keycloak’s Administration REST API”:
This is a very important information and I think that this should be inserted in the README.

Thank you again for your precious work,
Giovanni

To clarify: the Camunda Keycloak Identity Provider is a ReadOnly Identity Provider - it does in no way provide the ability to modify users and groups in Keycloak!

Hallo VonDerBeck,
Please clarify which article should I follow. Your Showcase or the iceman91176 ?
Thank you,
Giovanni

P.S.
I thick taht yu shoud add the following sentence to the README of the Keycloak Identity Provider Plugin:
“the Keycloak Identity Provider plugin under the hood uses Keycloak’s Administration REST API and accesses the user management in a READONLY way: - it does in no way provide the ability to modify users and groups in Keycloak”

@Gbaruzzi in short: