Custom Identity Provider for Tasklist

Hi,
because it is not possible for me to user ldap plugin I think about another possibility to realise authentication based on the data in our ldap repository and another database.

Uid and password are saved in the ldap repostitory. Uid and roles are saved in another database.

I want to use camunda tasklist. Is it possible to implement a custom servlet filter or edit the existing filter?
In that filter I would first compare credentials (uid and password, not groups) with our ldap repository. If credentials are okay, I would check against the other database, if the user exists and has the right roles.

How can I realise this?
I think I should use WritableIdentityProvider
But how can I implement/edit a servlet filter?

@Ingo_Richtsmeier again?

Thanks a lot.
Nicole

Hi @NickiMueller,

I recommend you to have a look at below URLs of camunda best practices series (Securing Camunda) to get a better understanding of differences between authentication and authorization in general and how they work in camunda.

https://camunda.com/best-practices/securing-camunda/#_understanding_strong_authentication_strong

https://camunda.com/best-practices/securing-camunda/#_understanding_strong_authorizations_strong

In summary:

Authorizations relate users and groups to Camunda specific resources so they must of course always be managed in a Camunda specific way and be contained in the Camunda database.

Authentication might be configured against an external store (LDAP as an example through LDAP Identity Provider Plugin)

Hi,

Id take a look at the ReadOnlyIdentityProvider inteface and create a custom identity plugin. Its fairly straight forward…

There is a method checkPassword(username, password) which you would implement to bind to your LDAP store. Then there are a number of group queries you would need to implement against you DB. Once you have created an installed this plugin, Camunda will just work without an additional servlet filter…

regards

Rob

Hi,

thank you for your answer. How can I “install the plugin” I can not find an example or a description.
(I know how to register ldap identity plugin, I did that before. But it is not usable for me because of the structure of our ldap system: LDAP Identiy Provider Plugin not usable for me)
I checked the following docs:
Process Engine Plugin
Identity Service

Thanks a lot, Nicole

Hi Nicole,

Are you using Springboot or are you deploying a process application to a runtime container such as Tomcat? Let me know so I can provide a more targeted response…

For inspiration, the Ldap pluging is just a read only identity plugin. You can see the code here. Hence if you start to pull it apart, there’s a few helper classes (factory, session etc to help bootsrap the installation)…

regards

Rob

Hi Rob,

I deploy my application in wildfly 20 and I do not use spring boot.

I implemented the ldap plugin successfully. I got all users of our ldap system and was able to login with my ldap account. The problem is, in our company I am not allowed to manage user and groups in our ldap system. I only have a read access for users. The groups the users are in are not the groups that I need for camunda. So for example if I use the ldap plugin I can not have an admin access to camunda. (Whole problem is described here: LDAP Plugin - Bind failed: Attempt to lookup non-existant entry)

So I thought about a ReadOnlyIdentityProvider which does the following things:

• connect to ldap programmatically and check if user and password exists
• connect to another software via REST and get roles, rights and groups.
• Then programmatically create user in camunda like here: camunda-bpm-platform/DemoDataGenerator.java at master · camunda/camunda-bpm-platform · GitHub
• login to camunda

Is that possible?
How can I implement the custom identity provider?

• implement ReadOnlyIdentityProvider interface
• register the class somewhere? → How does the tasklist know that the login site should use my custom provider?

Thanks a lot,
Nicole

Hi Nicole

So I thought about a ReadOnlyIdentityProvider which does the following things:

• connect to ldap programmatically and check if user and password exists
• connect to another software via REST and get roles, rights and groups.
• Then programmatically create user in camunda like here: camunda-bpm-platform/DemoDataGenerator.java at master · camunda/camunda-bpm-platform · GitHub
• login to camunda

Is that possible?

Absolutely, all this is possible…Just a few points of clarity. When you use a custom identity store, you dont need to create users in the Camunda DB as this is essentially delegated to your custom identity provider. Note however that authorisation will still be performed by the Camunda system, hence the Camunda DB will be aware of your user Ids or group Ids for authorisation purposes, however it would not be the source system…

How can I implement the custom identity provider?

Your best bet is to use an engine plugin. The LDAP plugin is a good example/refernec implementation. In fact you could clone this code and modify it to get you going. In particular modify its LDAP queries to retrieve user groups to point at your own implementation. (Perhaps start with some hardcoded constants and observe the code in a debugger/logger to understand what is called when…

• register the class somewhere? → How does the tasklist know that the login site should use my custom provider?

Yes you need to register the engine plugin you create. See the docs on how the LDAP plugin is added to the engine. You need to use similar config but for your own plugin…

My suggestion would be start with a simple, small custom identity plugin with hardcode values or stubbed methods…get that going, then add your custom code. Consider cloning the LDAP plugin as a starting point…

feel free to reach out for more help…

regards

Rob