Hi @VonDerBeck ,
After redirect of the url to camunda when i log in as keycloak / keycloak1! it redirects me to the camuda page but in camunda page i can’t see the task tab as keycloak user is a admin user.
Also every time i need to clear cache and sometimes it does’nt open in incognito mode
very interesting - you’re using the Keycloak internal administrator as Camunda Admin as well. Personally I very much like to separate concerns.
Are you aware that
- you have set the pluging option
- that the Keycloak internal administrator does not have an email address? And thus is not a valid camunda user and has no rights?
For a production like setup I would recommend to
- not use the master realm but setup your own security realm.
- within that realm create the camunda admin group
- assign a dedicated admin user of this new realm to the camunda admin group
- adapt all Keycloak URLs according to the new realm
In case you want to just play around a little bit you have the following options. Either
- switch to using the plugin option
useUsernameAsCamundaUserId(keep in mind that this requires a change in the
KeycloakAuthenticationProviderwhen extracting the
- or create your own Camunda Admin User
- or add an email to the original Keycloak admin user in case you really want to keep using this user as camunda admin as well (which, in my opinion, would mix up things)
yes in application.yaml file i am using
sadly I’m running out of time today. If you want to have a look at a prepared test setup for Keycloak matching the original showcase configuration use the following docker image:
It has a prepared configuration with Camunda Client, Groups, User etc.
Hi @VonDerBeck ,
i have taken pull of your image , and run it on docker .
I have this in my yaml file
After running this camunda page after redirect is not visible shows 401 unauthorized
HTTP 401 is “unauthorized”.
- Please be aware that, once logged in, SSO stores and keeps your session. So in order to check if SSO is working you must e.g. not have logged in into Keycloak with the Keylcoak admin and try to use the same browser to login into Camunda using another user. Always try to start with a fresh clean browser. An easy way to do this is to use the “new private window” / “new incognito window” functionality of your browser.
- The next thing to be aware of is that you have a configuration for the identity plugin (
plugin.identity.keycloak) and another configuration for the SSO OAuth2 Client part of Spring (
- Hint: the plugin will work without the OAuth2 SSO part as well, you will then have to use the Camunda Login Page, behind the scenes you will get authenticated against Keycloak. This approach will allow you to login / logout into Camunda just like you are used to when using Camunda standalone.
In case there are any questions left please have a look at the Spring Boot OAuth2 documentation(e.g. https://spring.io/guides/tutorials/spring-boot-oauth2/, https://www.baeldung.com/sso-spring-security-oauth2). The only Camunda specific part can be found within the OAuth2
KeycloakAuthenticationProvider when it comes to extracting the userId and querying for the corresponding groups. All the rest of the setup is Spring Security / OAuth2 standard.
sadly the REST-API hasn’t been configured so far in the sample project. It’s on the TODO list.
- within the example the config option
camunda.bpm.authorization.enabledis set to
- see Camunda Documentation: “When are Authorizations checked”
- the missing part within the showcase is an AuthenticationProvider for the REST part. The basic principles can be taken from Camunda’s SSO example (https://github.com/camunda-consulting/code/tree/master/snippets/springboot-security-sso)
I still have to deal with the details myself, but it shouldn’t be too difficult.
Hi @VonDerBeck ,
In project of camunda-showcase-keycloak we are configuring client-id hardcoded , secret-key as hardcoaded , Is there anyway to get this dynamic
these parameters are configurable in
- this means that you have all mechanisms from Spring Boot at hand - including the configuration of such parameters using environment variables. For an example see parameters
- as a consequence it’s configurable using e.g. standard Kubernetes features like secrets, configmap, …
Just change the example according to your own needs. The provided example setup shows the main wiring and main aspects, it does not cover all production aspects.
Hi @VonDerBeck , I am not able to create Tenants in camunda , as well as i am not able see the tab add Tenants under admin panel
Hi @VonDerBeck, So i created Tenant from code got this error
I have gone through the java doc where it says that identity service implementation provides read-only access to the user repository, false otherwise
So Through camunda UI I was not able to see create Tenant button .
So would i enable this tab of Tenants
see the yaml file too
i am login in with user which is a admin user created in keycloak and have all the access
one of the current limitations of the Keycloak Identity Provider is, that tenants are currently not yet supported. See documentation of the plugin.
And please be aware, that this is a ReadOnly Identity Provider, which means you are not allowed to create users, groups, etc. using the Camunda admin frontend.
the question is not if there is a way.
You either want to manage your groups & users within your application and stick with the integrated original identity service or you want to manage groups & users outside your applications in some kind of external identity system like LDAP, Keycloak, Auth0, … The latter approach means that Camunda is only reading groups & users.
Writing from Camunda to Keycloak is a really bad idea and I would neither support nor recommend to do such things.