VonDerBeck
commented
6 months ago Hi Giovanni,
for using roles instead of groups - if I were you I would do the following:
- Think if you really need users and groups/roles show up in Camunda Admin
- Leave Camunda Identity Provider as is and use SSO only
- To summarize: follow the steps of the article you mentioned
Why? Because the Keycloak Identity Provider plugin under the hood uses Keycloak’s Administration REST API. Keycloak of course provides a performant way to get all roles (whether direct or indirect!) of a user. That is what it is build for. But not the other way around - we will miss all indirect users that have a specified role name e.g. due to their group membership and so on. Even worse: there are not even any filter criteria to reduce the result list. So this does not match the use cases of the Identity Provider API and is therefore deliberately left out.
Gunnar
Dear all, I was able to start on my system the camunda-showcase-keycloak of @VonDerBeck. (Thank you!).
My PoC requires now that I can manage all the roles for a user Inside Keycloak, but I CANNOT manage any group.
I had a look to the interesting work of iceman91176 and to the linkedin article https://www.linkedin.com/pulse/integrating-camunda-keycloak-enhanced-access-control-avinash-saraf.
Would it be possible to have an integration of the work of Iceman91176 and of VonDerBeck ? In which direction should I look to implement my need?
thank you for your ideas and suggestions Giovanni