Hi,
We are trying to enable Camunda SSO for camunda Webapps.
Basically we need camunda should be auto signed in with the windows logged in credentials.
Can any one suggest how to achieve this and any docs on this will be helpful.
Thanks,
Manish
I’ve accomplished this. I’ve built a web application and included the camunda webapp as a dependency. Bisides that, I included spring boot oauth2 client and configured an oauth2 provider (keycloak in our case).
When using keycloak, there is a parameter (kc_idp_hint IIRC) in the auth URL that tells which authentication way is the preferred one. If you set this parameter to the right value, no “userid/pwd” login page will be displayed by keycloak. Instead, the current desktop authentication will be used.
There are some more details to take into account. You should e.g. configure a ContainerBasedAuthenticationFilter and provide an instance of AuthenticationProvider that would extract the data about the current user from the token that has been issued by the oauth2 identity provider.
If this all is too much hassle for you, you can use the nice keycloak plugin (we could not use it in our project for certain reasons). But still you’ll have to build your own web app, include the original camunda webapp as a dependency, and configure the http security.
This is such a basic need in the modern world that I think camunda should ship the webapp with the possibility of oauth authentication out of the box.
Hi ,
Please can you help with sample implementation as we have also similar requirement where we need camunda webapp should be auto signed in with the windows logged in credentials.
Regards,
Tejpal
I’m sorry, but I’m not a keycloak plugin expert. I’ve never used it myself, just looked at the code.
Hi,
You want to implement SSO or just use your organization LDAP server for authentication ( in this case user is asked to enter username and password ) ?
Hi Pradeep,
We are looking for SSO solution based on windows authentication.
Regards,
Tejpal
To achieve SSO we should use Spring security so that framework handles the authentication and passes the authenticated user on to Camunda. We only need to add ContainerBasedAuthenticationFilter/ ProcessEngineAuthenticationFilter (REST api) that ships with the product and provide a custom Authentication provider. By implementing a class that implements the org.camunda.bpm.engine.rest.security.auth.AuthenticationProvider interface, one should be able to provide authentication details.