Configuration and deployment of custom SSO in Camunda

Hello community,

We have a requirement to login using SSO against both Camunda Cockpit and Tasklist (Community Edition). We can use the Community Edition for either Camunda Platform Run or Camunda Tomcat, any of them would do.

So far we successfully configured the LDAP plugin within Camunda Tomcat, by simply updating bpm-platform.xml. Next, we would like to use WSO2 Identity Server as the Identity Provider, which is connected to the same LDAP.

I believe we don’t need to implement another IdP plugin, we just need the authentication step to be delegated to WSO2 using SAML (we could try with OIDC as well, since this is a PoC)

I have found several code examples on Camunda, Spring Security, Keycloak, SAML… This is already discussed in other topics too, such as this one answered by @paulbors and @gabepurnam

Our doubts are not about coding specifically, but rather on the correct way to configure and deploy this in camunda tomcat (or whatever version), since we couldn’t make any of the examples work.

To keep things simple we started with this sample: GitHub - fundingasiagroup/camunda-saml-auth-plugin: camunda-saml-auth-plugin . We packaged it as a jar-with-dependencies , and deployed it to camunda-bpm-tomcat-7.13.0/server/apache-tomcat-9.0.33/lib

According to the documentation

“you only need to add the ContainerBasedAuthenticationFilter that ships with the product and implement a custom AuthenticationProvider if required”.

So we also added the following snippet to camunda-bpm-tomcat-7.13.0/server/apache-tomcat-9.0.33/webapps/camunda/WEB-INF/web.xml

  <filter>
    <filter-name>Container Based Authentication Filter</filter-name>
    <filter-class>org.camunda.bpm.webapp.impl.security.auth.ContainerBasedAuthenticationFilter</filter-class>
    <init-param>
      <param-name>authentication-provider</param-name>
      <param-value>com.fundingsocieties.camunda.config.JumpCloudAuthenticationProvider</param-value>
    </init-param>
  </filter>
  <filter-mapping>
    <filter-name>Container Based Authentication Filter</filter-name>
    <url-pattern>/*</url-pattern>
    <dispatcher>REQUEST</dispatcher>
  </filter-mapping>

Is this the recommended approach so far?

Now, that it isn’t even working due to this (possibly unrelated) error: Caused by: org.h2.jdbc.JdbcSQLNonTransientConnectionException: Unsupported connection setting "MVCC" [90113-200]

No luck with other examples either. Could you please give us some advice to get on the right track or tell us if we are missing some step?