Integration of camunda with keycloak SSO


#1

I am facing issue with this repository , Please help me to look how the following steps will be carried out
https://github.com/camunda-consulting/code/tree/master/snippets/springboot-security-sso

Please help with the integration of camunda with keycloak integration SSO


#2

Try using this really great community extension by @VonDerBeck


#3

Hi Niall . I have tried with this too . But in this project VonDerBeck camunda-identity-keycloak jar is not in maven repository and not available on google to


#4

Hi Tammay,

the project will be available in a public maven repo in future. As it is based on a standard Maven build, try to check out and build this project locally. This should be a good interim solution.

Cheers
Gunnar


#5

Hi VonDerBeck ,
Building the project locally leads to the no manifest file attribute . I want to know that how will this project runs which will integrate SSO of camunda with keycloak . How will the project jar will be added to the server so that the internal code will be called.
Please help as it is not mentioned in ReadMe.md file .Next i have checked with the keycloak-showcase-master repository where the jar cannot be build . Please help


#6

Hi Tammay,

can you be more specific what your exact errors are?

1.) The plugin itself is in repository https://github.com/VonDerBeck/camunda-identity-keycloak and requires simply JDK 8 and Maven. It is not executable but a library. It can be integrated in your Camunda project in the same way like the LDAP Identity Provider. See project documentation for the setup.
2.) The showcase including the full SSO setup resides in repository https://github.com/VonDerBeck/camunda-showcase-keycloak . In order to make the build process work you should have the above plugin itself compiled and available - at least in your local maven repository.

If this doesn’t work out for you, there is a solution in sight:

  • the plugin may be available on Maven Central until the end of the month
  • furthermore it will be upgraded to work with Camunda 7.11
  • the showcase will be updated to the new versions (Camunda 7.11, Spring Boot 2.1.5.RELEASE) as well
  • the showcase will only require public repos for your dependencies

I can’t promise, but I’ll do my best.

Gunnar


#7

Hi @VonDerBeck ,
Appreciated your response . Agreed that it is not executable. I will show you what steps i have followed .

  1. I have clone the repo https://github.com/VonDerBeck/camunda-identity-keycloak .

  2. I have typed the command on the repo as mvn clean install -DskipTests and got the output as

  3. Next Step i am not able to understand in the document what will be the next step . Where will i put this whole project or the jar which is created in the target folder in the camunda server

  4. please help us step by step what will the next process after the point 3 .

Appreciated your presence of time


#8

Hi @Tanmay_Naik,

what you have now is the IdentityProvider available in your local maven repo. Your next steps depend on your runtime environment. Are you using Spring Boot or JEE/Wildfly?

When using Spring Boot you have to:

  1. add the dependency to your Camunda Spring Boot Project
  2. add a KeycloakIdentityProvider component to your project in order to activate the plugin (see documentation)
  3. prepare your Keycloak server as documented (create client camunda-identity-service in your realm)
  4. configure the adpater as documented (plugin.identity.keycloak section in application.yaml)

Afterwards the Camunda Identity Service connects to the Keycloak server. But you will still have to login using the camunda login screen.

SSO is the next level. It follows standard Spring OAuth2 Security. You will additionally have to

  1. add spring-boot-starter-security and spring-security-oauth2-autoconfigure dependencies
  2. add KeycloakAuthenticationProvider and your own WebAppSecurityConfig
  3. configure Spring Security security.oauth2 section in your application.yaml

The SSO steps are documented as well. The only Camunda specific code can be found in KeycloakAuthenticationProvider taking care of extracting the authenticated user and querying the corresponding groups using the Identity Provider.

An example can be found within the showcase project.

Regards
Gunnar


#9

Hi @VonDerBeck ,
Truly appreciated your response . I have cloned the Showcase project
[https://github.com/VonDerBeck/camunda-showcase-keycloak ]
Followed this process

  1. mvn clean install
  2. started the keycloak server with the docker-compose file

version: “3.3”

services:
jboss.keycloak:
build: .
image: jboss/keycloak
restart: always
environment:
TZ: Europe/Berlin
KEYCLOAK_USER: keycloak
KEYCLOAK_PASSWORD: keycloak1!
ports:
- “9001:8443”

  1. Next created Client name as camunda-identity-service
    added all the configurations as mentioned in https://github.com/VonDerBeck/camunda-identity-keycloak

  2. Created Roles and added them rights as mentioned in the above link

  3. added the secret key to application.yml file for Oauth2 and for plugin.identity.keycloak:

  4. then started the sever of camunda again

  5. getiing this error Please help


#10

In keycloak logs i am getting this


#11

Hi @VonDerBeck ,
I think https would be the problem.


#12

Hi @Tanmay_Naik,

please check your application.yaml URLs and Ports.

It might be important that in order to use Spring Security SSO OAuth2 using https you’ll need a valid SSL certificate on your Keycloak server. This might be a bit exaggerated for a local development environment. When running in cloud environments SSL is very often handled by the load balancer in front etc.

The Keycloak Identity Provider Plugin itself has an option to disable SSL certificate validation. But this is apart from Spring Security SSO, it effects the connection from Camunda Identity Service to Keycloak only. Keycloak generates a self signed certificate upon startup where Spring Security might complain about. So what does this all mean?

  1. Within your locally running Keycloak Docker image enable the HTTP Port as well (see documentation of the Showcase), e.g.
    ports:
      - "9001:8443"
      - "9000:8080"
  1. Check and adapt the security.oauth2 URLs accordingly. The Showcase has been prepared correctly.
  2. When using the Showcase as is you have to login using the email address as username. Check that “login with email” has been enabled within your Keycloak realm settings as well.

This might help you to get it up and running on your local machine. Which is especially helpful for development. Keep in mind, that for production it is not recommended to use plain HTTP.

If this does not help, please examine the log of your Camunda Spring Boot application. What you have provided might not be the real cause and there will very likely be more error messages in the stacktrace or before.

Gunnar


#13

Hi @VonDerBeck ,
The port i exposed that worked . Next i am getting error as with stack trace as


#14

Hi @VonDerBeck ,
The next Screen shot


#15

Also I am attaching the screenshot of keycloak realm setting where login with email is enabled


#16

From the documentation:


#17

@VonDerBeck,
Yes i have done that .

the error in yml file for enabled is showing as security.basic.enabled is Deprecated


#18

So this causes the error. The docu says that you must not do this and the admin-user part must be deleted. It is a hint for users starting with a standard Camunda Spring Boot configuration.


#19

@VonDerBeck,
So it redirected me to the camunda page when i hit on http://localhost:8080/camunda/login . It redirected me to the http://localhost:8080/camunda/app/welcome/default/ but page didn’t displayed


#20

@Tanmay_Naik: just start with
a) a clean browser (cache deleted / new private window)
b) point browser to http://localhost:8080/camunda
c) login with Keycloak