Camunda integration with Keycloak for SSO


#1

Hi,
I am using Keycloak (https://www.keycloak.org) for SSO (authentication and authorization) for my camunda springboot REST services. Is there a reference implementation of camunda with keycloak boot adapters?

With the camunda boot app, if I add the “keycloak-spring-boot-adapter” jar as dependency, I am not able to access http://localhost:8080/app/admin/default/ page. It throws an error saying
WARN [FormAuthenticator-log:179] No login page was defined for FORM authentication in context []
Regards,
-Subbu


Is ldap the only protocol supported for Identity Service
#2

This may be off topic, though it caught my interest to see a question on KeyCloak…

I think you bumped into a Tomcat compatibility bug that is likely more about the server than Camunda.

see keycloak bug and workaround at jboss.org - reported as “closed” (the problem looks like a Tomcat issue per specific version).


#3

Hi @garysamuelson,
Thank you very much for the response. I will look into this. Hope that we need to do more configurations on tomcat and the web application front like the config as “KEYCLOCL” etc… I am working on that. I will post back my observations once I am successful.

Regards,
Subbu


#4

So how is the integration with Keycloak coming along?

Keycloak plugs into Wildfly. So, it may be a more natural fit to run it within its ‘native’ ecosystem - maybe even alongside Camunda.

For example - I typically run Camunda alongside camel (taking advantage of the Wildfly+camel configuration:

        <extension module="org.camunda.bpm.wildfly.camunda-wildfly-subsystem"/>
        <extension module="org.wildfly.extension.camel"/>
    </extensions>

And, looking at keycloak there’s the following:

[updated this dept’ - this is a better module reference]

<extension module="org.keycloak.keycloak-adapter-subsystem"/>

Though, it would make for a busy app’ server, why not just add keycloak into the mix - at least as an early POC development platform:

        <extension module="org.camunda.bpm.wildfly.camunda-wildfly-subsystem"/>
        <extension module="org.wildfly.extension.camel"/>
        <extension module="org.keycloak.keycloak-adapter-subsystem"/>
    </extensions>

#5

Hi @garysamuelson,

I just paused this for the time-being, as we have customer demos lined up. I will be able to resume this from next week onwards. Thank you very much the the followup. I will post my updates once I am able to do something on this integration.

Regards,
Subbu


#6

Hi @subbu,

I wanted to check in with you to see if you pursued Keycloak integration further? I’m also considering the same approach.

Thanks!

Jason


#7

Hi @jseaton,
Sorry for the depayed response. We parked that as a lower prioroty for now.
But Here are my thoughts on this. I have done minor POC kind of stuff on this. I have enabled LDDAP authentication to Camunda and Keycloak also to use the same LDAP as user store. Then implemented a class that will do request interception (ex: something Like HTTPBasicAuth avaible from Camunda). Then We need to over rode the check password on that.

Regards,
Subbu


#8

No problem, thanks for the follow-up info!