Only the camunda login form is displayed

[MaxiRage]

Hi! I have configured your plugin by example (https://github.com/camunda-community-hub/camunda-platform-7-keycloak/tree/master/examples/sso-kubernetes ) and overall it works great! Thank you for your work. Tell me, please, when I log in, only the Camunda form is displayed, but not the Keycloak form in any way. Is this really the way it should be, or did I make an inaccuracy somewhere? Thanks in advance for your help.

[VonDerBeck]

Hi @MaxiRage,

looks like something is missing on your side... The SSO Kubernetes Sample is intended to show how all works together, especially combining SSO (which uses Keycloak for login and not the original Camunda Form) with the Keycloak Identity Provider under the hood. SSO is based purely on Spring Boot Security and the corresponding configuration and components.

[MaxiRage]

@VonDerBeck, thanks

[MaxiRage]

@VonDerBeck, Hi I managed to set up single sign-on. Your answer gave me motivation to search for inaccuracies. Now there is another error related, as I understand it, to security and sending the POST method to tasklist or logout. Could you help?

[MaxiRage]

I fixed it.

And one more question. When logout, I will be redirected to the camunda login page, while if I go to the login page again (for example, localhost:8080/camunda), the session resumes without authorization. Is that right?

[VonDerBeck]

@MaxiRage,

logout is a complex topic here. Have you read through the section "Logout from Cockpit" in the SSO example? And checked the corresponding code parts?

There is

• a Javascript plugin part in the Camunda applications replacing the original logout triggering the logout handler
• the logout handler itself triggering logout from Keycloak
• so that after logout you will finally be redirected back to the Camunda application
• which obviously requires login so you end up at the login page of Keycloak again

Does that help?

[MaxiRage]

@VonDerBeck, thank you for the answer!

Is it possible to redirect the start page after logging in? Now I am redirected to "tasklist" but if the user does not have rights to it, then error 403, I would like to go to the "welcome" (my profile) page.

[MaxiRage]

The solution turned out to be simple: [...] .oauth2Login() .defaultSuccessUrl("/app/welcome/", true) [...]

[MaxiRage]

But such a solution is not complete, only after a successful login. If I go to ".../camunda" again, then I will be redirected to ".../app/tasklist", where I will get 403 if I am not in the right group. Is it possible to change the default ".../app/tasklist" to ".../app/welcome" ?

[MaxiRage]

Maybe someone will need it. OK, I added

in src/main/resources/META-INF/resources/index.html

and disabled index.html by default: camunda,bpm.webapp.index-redirect-enabled: false

I will be glad if you tell me an alternative solution. Thanks.

[VonDerBeck]

@MaxiRage,

this all sounds weird - even if it somehow works. Can you tell me which Camunda Version and which Spring Boot version you use? Which Keycloak version do you use? What does your "Valid Redirect URI" and "Valid post logout URI" configuration look like?

[MaxiRage]

@VonDerBeck,

Camunda 7.18 Spring Boot 2.7.5 KeyCloak 21.0.0

[aradipe]

I'm struggling to set up SSO as well, not sure if I made any mistakes when I followed the main tutorial in README.md. One issue in my case was that I wanted to use the email address of users in Camunda, but setting the useEmailAsCamundaUserId prevents SSO. Another possible issue was that I first used the KeycloakAuthenticationProvider code as provided, but the path is hardcoded there for the showcase example. Even after fixing these I still don't get redirected to Keycloak. I'm on Camunda 7.18.0, Spring Boot 2.6.14 and Keycloak 18.0.0

[VonDerBeck]

Closing this as not reproducible.