SSO (Spring Security + Camunda Identity Service)


I have implemented spring security within a spring boot app that embed camunda-bpm-spring-boot-webapp dependency.
Then authentication is made using a custom authentication provider against identityService.checkPassword and identityService.setAuthenticationUserId.

How to SSO the embed Camunda Webapp? now i logged in successfuly using registered Camunda users and password, but when trying to open Camunda Tasklist/Welcome/Admin it redirects to Camunda common Login page.

public class CustomAuthenticationProvider implements AuthenticationProvider {

    public Authentication authenticate(Authentication auth) 
      throws AuthenticationException {
        String username = auth.getName();
        String password = auth.getCredentials()
        CamundaUtils cm = new CamundaUtils();
        if (cm.signin(username, password)) {
            return new UsernamePasswordAuthenticationToken
              (username, password, Collections.emptyList());
        } else {
            throw new
              BadCredentialsException("External system authentication failed");
    public boolean supports(Class<?> auth) {
        return auth.equals(UsernamePasswordAuthenticationToken.class);


public boolean signin(String userId, String password) {
		boolean isValid = identityService.checkPassword(userId, password);
		if(isValid) identityService.setAuthenticatedUserId(userId);
		return isValid;



The SSO works when i use Container-Based Authentication, i follow the git project:

However i noticed that the signout button inside the Camunda Webapp does not work, and Authorization seems to be not working as well (cannot see available applications in Camunda Welcome, and a Spring Whitelabel error when opening tasklisk). I suspect the container still has authenticated state.
Please advice…

public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
    public FilterRegistrationBean containerBasedAuthenticationFilter(){

        FilterRegistrationBean filterRegistration = new FilterRegistrationBean();
        filterRegistration.setFilter(new ContainerBasedAuthenticationFilter());
        filterRegistration.setInitParameters(Collections.singletonMap("authentication-provider", "com.ey.eyharmony.config.SpringSecurityAuthenticationProvider"));
        filterRegistration.setOrder(101); // make sure the filter is registered after the Spring Security Filter Chain
        return filterRegistration;
    protected void configure(HttpSecurity http) throws Exception {
//                .loginPage("/login")

#Custom Provider

public class SpringSecurityAuthenticationProvider extends ContainerBasedAuthenticationProvider {

    public AuthenticationResult extractAuthenticatedUser(HttpServletRequest request, ProcessEngine engine) {

        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();

        if (authentication == null) {
            return AuthenticationResult.unsuccessful();

        String name = authentication.getName();
        if (name == null || name.isEmpty()) {
            return AuthenticationResult.unsuccessful();

        AuthenticationResult authenticationResult = new AuthenticationResult(name, true);

        return authenticationResult;

    private List<String> getUserGroups(Authentication authentication){

        List<String> groupIds;

        groupIds = authentication.getAuthorities().stream()
                .map(res -> res.getAuthority())
                .map(res -> res.substring(5)) // Strip "ROLE_"

        return groupIds;




Yes, I am also looking for same type of implementation.
Followed the above git code and the Authentication is working fine but Authorization is not working as expected, The groupId’s are not getting reflected under camunda tasklist.
Please let me know, if you came across any more information related to implement Authorization ?

By default Authorization is disabled, so needs to be enabled it by adding the below entry applicaiton yaml/properties file.


This way of authorization worked for till camunda springboot version 3.4.x
but from camunda springboot version 7.13 onwards its not detecting ContainerBasedAuthenticationProvider.

Can any one help on this?

It is working now by updating the addUrlPatterns("/app/*"); with more url pattern like engine-rest
thank you

1 Like

Dear Team,

I am trying to implement Camunda + Oauth 2+ AWS cognito in spring boot v2.6.3 and camunda v 7.16.0. I am able to redirect to cognito and once success coming to ContainerBasedAuthenticationProvider. But still role is not assigned correctly in

It is always returning “authorizedApps”:[“welcome”]