Single Sign On (SSO) in Camunda?

[Thong Huynh Trung]

Hi,

I have a question regarding authentication mechanism of Camunda. Does Camunda have a practice for single sign on? The situation is that we are going to setup a Camunda application within an intranet (see picture). We will need to setup a single sign-on mechanism so that users do not have to login again to use Camunda. 

So how does Camunda normally handle this kind of situation? 

Appreciate your help

Thanks

Thong Huynh

[Roman Smirnov]

Hi Thong,

we are currently working on the theme "user management". For that we will use "spring security" which provide a lot of features (like single sign on).

If you have some specific ideas or requirements, then you're welcome to post them here!

Cheers,

Roman

[Thong Huynh Trung]

Thanks Roman, 

Will do

[Julrich Kieffer]

Hi Roman

Is there a way to integrate Forgerock's OpenAM product (http://forgerock.org), or ensure that security can be managed externally using any of these sort of tools? I think this would be preferable over baking in security and further backing in the "spring security" implementation.

Is there a way to use the current build (alpha 6) but have login / features (ie authentication / authorisation) be externally controlled with OpenAM?

Julrich

[Daniel Meyer]

Hi Julrich,

difficult to say as I have no experience with OpenAM. How do you integrate it? You can always take the web applications and enhance them with a set of custom authorization filters and a custom login page. We will also provide a simple SPI which allows you to bring in custom authentication / authorization providers. 

Cheers,

Daniel

[Anurag Singh]

Hi Daniel,

Where can I get information about SPI which allows you to bring in custom authentication / authorization providers.

thanks,
Anurag

[Daniel Meyer]

Hi Anurag,

 

1)      The REST API provides the org.camunda.bpm.engine.rest.security.auth.AuthenticationProvider for developing custom authentication providers.
http://docs.camunda.org/api-references/rest/#!/overview/authentication

 

2)      The camunda webapplication ships with the org.camunda.bpm.webapp.impl.security.filter.SecurityFilter implementation which can be configured using a JSON-based configuration:

{

  "pathFilter": {

    "deniedPaths" : [

      { "path": "/api/engine/.*", "methods" : "*" },

      { "path": "/api/cockpit/.*", "methods" : "*" },

      { "path": "/app/tasklist/{engine}/.*", "methods" : "*" },

      { "path": "/app/cockpit/{engine}/.*", "methods" : "*" }

    ],

    "allowedPaths" : [

      { "path": "/api/engine/engine/", "methods" : "GET" },

      { "path": "/api/{app:cockpit}/plugin/{engine}/static/.*", "methods" : "GET" },

      { "path": "/api/{app:cockpit}/plugin/{plugin}/{engine}/.*", "methods" : "*", "authorizer" : "org.camunda.bpm.webapp.impl.security.filter.EngineRequestAuthorizer" },

      { "path": "/api/engine/engine/{engine}/.*", "methods" : "*", "authorizer" : "org.camunda.bpm.webapp.impl.security.filter.EngineRequestAuthorizer" },

      { "path": "/app/{app:cockpit}/{engine}/.*", "methods" : "*", "authorizer" : "org.camunda.bpm.webapp.impl.security.filter.ApplicationRequestAuthorizer" },

      { "path": "/app/{app:tasklist}/{engine}/.*", "methods" : "*", "authorizer" : "org.camunda.bpm.webapp.impl.security.filter.ApplicationRequestAuthorizer" }

    ]

  }

}

 

You could also completely replace the org.camunda.bpm.webapp.impl.security.filter.SecurityFilter with a custom filter in the WEB-INF/web.xml file.

 

Cheers,

Daniel Meyer

[dav...@optusnet.com.au]

Hi Roman,

We have a similar requirement to the OP, but using Oracle Access Manager (OAM). This is basically a plug-in for Apache which checks incoming requests against a policy in OAM. If that URL matches a pattern that requires authentication, and the user is not currently authenticated then they are redirected to the login page hosted by OAM. OAM then handles the login, and once successful redirects the user's browser back to the original URL they were trying to access. They are now authenticated, so the plugin allows the request to proceed as per normal to the application server.

The plug-in also adds HTTP header properties to the request which lets the application know some details about the currently logged in user. In our case, this is the user id (email address), the first name and surname. If these are present in the incoming request to the application, the application can assume that the user has been authenticated. Naturally, you need to have a mechanism in place to stop users from bypassing the Apache server and going directly to the app server and spoofing the headers.

Behind the scenes, the OAM component has its own session cookie so that it can link incoming requests back to a session on the OAM server which maintains whether the user is authenticated, expiry times etc. Because this is a domain level cookie, the user will be seen as signed on to all web applications that are protected by OAM in that domain.

OAM also handles the problem of Integrated Windows Authentication without us having to do anything in our applications.

We also use Spring Security for our own applications, and have a custom security filter that checks the HTTP request for the necessary headers and creates the required Spring UserDetails object.

public class IamSecurityFilter extends AbstractPreAuthenticatedProcessingFilter {

protected Object getPreAuthenticatedPrincipal(HttpServletRequest request) {
// Get OAM HTTP header from request
final String userName = request.getHeader(HTTP_HEADER_ATTRIBUTES_USER_NAME);
final String cNumber = request.getHeader(HTTP_HEADER_ATTRIBUTES_CNUM);
final String customerID = request.getHeader(HTTP_HEADER_ATTRIBUTES_CUSTID);
final String firstName = request.getHeader(HTTP_HEADER_ATTRIBUTES_FIRST_NAME);
final String lastName = request.getHeader(HTTP_HEADER_ATTRIBUTES_LAST_NAME);

if (ANONYMOUS_USER_STRING.equals(userName) || StringUtils.isEmpty(userName) || StringUtils.isEmpty(cNumber)){
SecurityContextHolder.clearContext();
return null;
} else if (StringUtils.isEmpty(customerID) || StringUtils.isEmpty(firstName) || StringUtils.isEmpty(lastName)) {
SecurityContextHolder.clearContext();
return null;
} else if (customerID.equals(USER_NOT_AUTHENTICATED_IN_11G) || cNumber.equals(USER_NOT_AUTHENTICATED_IN_11G)) {
SecurityContextHolder.clearContext();
return null;
}

UserProfile sessionUser = (UserProfile) request.getSession().getAttribute(SessionKeys.USER_ATTRIBUTE);
if (sessionUser == null || !userName.equals(sessionUser.getUsername())) {
UserProfile requestUser = new UserProfile(userName, null, cNumber, firstName, lastName, customerID);
request.getSession().setAttribute(SessionKeys.USER_ATTRIBUTE, requestUser);
return requestUser;
} else {
return sessionUser;
}
}

protected Object getPreAuthenticatedCredentials(HttpServletRequest request) {
return "N/A";
}
}

public class UserProfile implements UserDetails, Serializable, Cloneable {
...
}

The Spring Security UserDetails interface specifies the method Collection<GrantedAuthority> getAuthorities() which is used for authorisation. In our implementation, these are group memberships in the directory. These can either be passed in the HTTP header (if there aren't many) or looked up in the directory once the user is authenticated.

This is then wired up in our Spring context like so:

<security:http disable-url-rewriting="true" create-session="ifRequired">
<security:anonymous enabled="true"/>
<security:custom-filter position="PRE_AUTH_FILTER" ref="securityFilter"/>
<security:form-login login-page="/login/success"/>
</security:http>

<security:authentication-manager alias="authenticationManager">
<security:authentication-provider ref="preauthAuthProvider"/>
</security:authentication-manager>

<bean id="preauthAuthProvider"
class="org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationProvider">
<property name="preAuthenticatedUserDetailsService" ref="userService"/>
</bean>

<bean id="iamSecurityFilter" class="sso.web.security.IamSecurityFilter" lazy-init="true">
<property name="authenticationManager" ref="authenticationManager"/>
</bean>

And in web.xml:
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>

So a summary of our requirements for single sign on would be:

- Pass authentication details as HTTP header properties
- Pass authorisation details (group membership) as HTTP header properties or through a separate LDAP lookup
- Integrate with Spring Security so that Spring Security mechanisms can be used inside our process applications if required

Thanks for the opportunity to contribute ideas.

David

[Daniel Meyer]

Hi David,

Wow, thanks for the great in-depth explanation of your requirements!

Do you want to use OAM authentication inside the camunda webapplications or inside you custom process applications?

If you want to use it as authentication provider inside the camunda webapplication, you should look into our security filter implementation: org.camunda.bpm.webapp.impl.security.filter.SecurityFilter

It can be configured using a json-based configuration (see one of my previous posts in this thread). On top of this you could probably also use an additional filter in web.xml.

We also add the name of the requested user as HTTP headers to the request.

The class org.camunda.bpm.webapp.impl.security.auth.Authentication should roughly correspond to the UserDetails class in spring (I think).

It provides a Method named .getGroupIds() providing access to the list of groups for the current user.

Authentication iteslf is currently performed by the org.camunda.bpm.webapp.impl.security.auth.UserAuthenticationResource. But I could imagine a filter which extracts the username or token from a requests and populates the org.camunda.bpm.webapp.impl.security.auth.Authentications object. The object is maintained inside the servlet session and added as a ThreadLocal to each request by the SecurityFilter.

Cheers,

Daniel Meyer

[dav...@optusnet.com.au]

Hi Daniel,

Thanks for the response. I was going to start looking into the SecurityFilter, but then I saw this post which mentioned you were looking at Spring Security. As this is what we use already in our non Camunda web applications to integrate with OAM, I thought I would provide this as some background on how we use it. From the quick look I have had at the security in 7.0.0, I'm pretty sure we could get it to work with OAM, but if you were looking at moving to Spring Security then most of the work is done already. Is this still on the roadmap?

Initially, we would be looking to add this single sign on capability to the Camunda web applications. We would also like the option to have it in our custom process applications as well, but we could already secure any web UI components (like external forms) using the method I described above.

Thanks,

David

[denis.d...@gmail.com]

Le mercredi 5 juin 2013 11:54:40 UTC+2, Thong Huynh Trung a écrit :
> Hi,
> I have a question regarding authentication mechanism of Camunda. Does Camunda have a practice for single sign on? The situation is that we are going to setup a Camunda application within an intranet (see picture). We will need to setup a single sign-on mechanism so that users do not have to login again to use Camunda. 
>
>
> So how does Camunda normally handle this kind of situation? 
>
>
>
>
>
>
>

> Appreciate your help
> Thanks
> Thong Huynh

Hi Community,

I'm currently testing Waffle for SSO on Windows and managed to implement it with Camunda Tomcat Distribution ( http://camunda.org/release/camunda-bpm/tomcat/7.2/camunda-bpm-tomcat-7.2.0.zip ).

1. If your not using a LDAP, you'll have to create your users by code or by hand in camunda administration. Their password is not important, as authentication is only made through NTLM challenge, nether through HTTP Basic in that case, but the username must be the same as in Active Directory. I guess it is case sensitive.

2. First download Waffle binaries ( https://github.com/dblock/waffle ) and copy waffle-jna.jar, jna-3.5.0.jar, platform-3.5.0.jar, slf4j-api-1.7.2.jar and guava-13.0.1.jar to Tomcat/lib directory.

3. Stop your tomcat if started and change tomcat/webapps/camunda/WEB-INF/web.xml to add Waffle servlet filter, inserting it before camunda Authentication filter:

<!-- Waffle filter -->
<filter>
<filter-name>WaffleSecurityFilter</filter-name>
<filter-class>waffle.servlet.NegotiateSecurityFilter</filter-class>
<init-param>
<param-name>principalFormat</param-name>
<param-value>fqn</param-value>
</init-param>
<init-param>
<param-name>roleFormat</param-name>
<param-value>both</param-value>
</init-param>
<init-param>
<param-name>allowGuestLogin</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>securityFilterProviders</param-name>
<param-value>
waffle.servlet.spi.NegotiateSecurityFilterProvider
waffle.servlet.spi.BasicSecurityFilterProvider
</param-value>
</init-param>
<init-param>
<param-name>waffle.servlet.spi.NegotiateSecurityFilterProvider/protocols</param-name>
<param-value>
Negotiate
NTLM
</param-value>
</init-param>
<init-param>
<param-name>waffle.servlet.spi.BasicSecurityFilterProvider/realm</param-name>
<param-value>WaffleFilterDemo</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>WaffleSecurityFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>


4. Download camunda-webapp-7.2.0-alpha2-sources.zip from Apache Maven Central Repository (http://search.maven.org/#browse|-1555757778) and modify org.camunda.bpm.webapp.impl.security.auth.UserAuthenticationResource.java

- Add this method to UserAuthenticationResource.java, and all needed imports (such as java.security.Principal) :

public static String getRemoteUserName(HttpServletRequest request)
{
String remoteUserName = request.getRemoteUser();
if (remoteUserName == null)
{
Principal principal = request.getUserPrincipal();
if (principal != null)
{
remoteUserName = principal.getName();
}
}
if (remoteUserName != null)
{

// Remove domain name from DOMAIN\USERNAME string
int antislashIndex = remoteUserName.indexOf("\\");
if (antislashIndex >= 0)
{
remoteUserName = remoteUserName.substring(antislashIndex + 1);
}
}
return remoteUserName;
}


- Add an autoLogin method to allow Waffle SSO

private Response autoLogin(String engineName, String username, String appName)
{
final ProcessEngine processEngine = lookupProcessEngine(engineName);
if (processEngine == null)
{
throw new InvalidRequestException(Status.BAD_REQUEST, "Process engine with name " + engineName + " does not exist");
}

// make sure authentication is executed without authentication :)
processEngine.getIdentityService().clearAuthentication();

// PASSWORD CHECK NOT NEEDED HERE : A PRINCIPAL IS ONLY GIVEN AGAINST NTML CHALLENGE, NO HTTP BASIC AUTH.

// get user's groups
final List<Group> groupList = processEngine.getIdentityService().createGroupQuery().groupMember(username).list();

// transform into array of strings:
List<String> groupIds = new ArrayList<String>();

for (Group group : groupList)
{
groupIds.add(group.getId());
}

// check user's app authorizations
AuthorizationService authorizationService = processEngine.getAuthorizationService();

HashSet<String> authorizedApps = new HashSet<String>();

for (String application : APPS)
{
if (isAuthorizedForApp(authorizationService, username, groupIds, application))
{
authorizedApps.add(application);
}
}

authorizedApps.add("admin");

if (!authorizedApps.contains(appName))
{
return forbidden();
}

final Authentications authentications = Authentications.getCurrent();

// create new authentication
UserAuthentication newAuthentication = new UserAuthentication(username, groupIds, engineName, authorizedApps);
authentications.addAuthentication(newAuthentication);

// send reponse including updated cookie
return Response.ok(AuthenticationDto.fromAuthentication(newAuthentication)).build();
}


- Change the getAuthenticatedUser(@PathParam("processEngineName") String engineName) with this code, in order to allow user to access to "tasklist" app through autoLogin method call:

@GET
@Path("/{processEngineName}")
public Response getAuthenticatedUser(@PathParam("processEngineName") String engineName)
{
Authentications allAuthentications = Authentications.getCurrent();

if (allAuthentications == null)
{
return notFound();
}

Authentication engineAuth = allAuthentications.getAuthenticationForProcessEngine(engineName);

if (engineAuth == null)
{

//return notFound();

// CODE ADDED HERE
String remoteUserName = getRemoteUserName(request);
if (remoteUserName != null)
{
// AUTH GIVEN FOR "tasklist" APP
return autoLogin(engineName, remoteUserName, "tasklist");
}
else
{
return notFound();
}
}
else
{
return Response.ok(AuthenticationDto.fromAuthentication(engineAuth)).build();
}
}

5. From your favourite IDE, compile this modified source along with all java sources within org.camunda.bpm.webapp.security package, obviously with all camunda and spring libraries in classpath

6. Copy the recompiled classes in the webapps\camunda\WEB-INF\classes

7. Restart tomcat. Login page is bypassed for tasklist app.

[Daniel Meyer]

Hi Denis,

thank you for sharing this solution with the community!

Cheers,
Daniel

[denis.d...@gmail.com]

Hi Daniel,

Thank _you_ for your work!

I don't know if lot of people use Waffle, however I found it useful for SSO, and fitting perfectly our needs.

Have you finally designed a builtin SSO solution for Camunda?
Regards,
Denis

[thomas.sc...@gmail.com]

Hi,

we are evaluating Camunda BPM for a customer project. A crucial requirement is a SSO functionality that logs the user into Tasklist and our custom process application with one authentication process.
The alternative would be to implement our own Tasklist inside our custom application but we'd rather make use of the already existing Tasklist.

Are there any plans for such SSO mechanism in roadmap of Camunda?

regards,
Thomas

[Daniel Meyer]

Hi Thomas,

you could use maven overlay to add the camunda webapp to your custom application. This way there would be a single servlet session for both your application and the camunda webapp. And you would not require any complex SSO infrastructure.

Daniel

[Jayendran Subramanian]

Hi Daniel,

Im trying to enable OpenAM SSO for camunda explore , i have configured openAm/J2ee Agent and enabled http header( "SsoUserHeader") on oepnAM.

Filter interceptor also working as expected and user authendication performed successfully on openAM and could get the username in camunda "AuthenticationFilter".

 Below the config and log details. So i need to populate "org.camunda.bpm.webapp.impl.security.auth.Authentications" object for ssouser(kermit).Please advise how to populate this object.


web.xml
  <!-- Agent filter for openAM login page -->
   <filter>
      <description>External OpenAm SSO authentication support filter.</description>
      <filter-name>Agent Filter</filter-name>
      <filter-class>com.sun.identity.agents.filter.AmAgentFilter</filter-class>
   </filter>
   <filter-mapping>
      <filter-name>Agent Filter</filter-name>
      <url-pattern>/*</url-pattern>
   </filter-mapping>
 
  <!-- Authentication filter -->
  <filter>
    <filter-name>Authentication Filter</filter-name>
    <filter-class>org.camunda.bpm.webapp.impl.security.auth.AuthenticationFilter</filter-class>
  </filter>
  <filter-mapping>
    <filter-name>Authentication Filter</filter-name>
    <url-pattern>/*</url-pattern>
    <dispatcher>REQUEST</dispatcher>
  </filter-mapping>

Logs:
AuthenticationFilter : printstatement : req.getHeaderNames() com.sun.identity.agents.util.EnumerationAdapter@224976a8
AuthenticationFilter : printstatement : req.getHeaderNames() : SsoUserHeader
AuthenticationFilter : printstatement : req.getHeaderNames() : host
AuthenticationFilter : printstatement : req.getHeaderNames() : connection
AuthenticationFilter : printstatement : req.getHeaderNames() : accept
AuthenticationFilter : printstatement : req.getHeaderNames() : user-agent
AuthenticationFilter : printstatement : req.getHeaderNames() : referer
AuthenticationFilter : printstatement : req.getHeaderNames() : accept-encoding
AuthenticationFilter : printstatement : req.getHeaderNames() : accept-language
AuthenticationFilter : printstatement : req.getHeaderNames() : cookie
AuthenticationFilter : printstatement : req.getAttributeNames() java.util.Collections$2@50d212e
AuthenticationFilter : printstatement : req.getAttributeNames() : am.filter.profile.attribute.marker
Inside AuthenticationFilter : doFilter : ssouser :  kermit


Regards
Jayendran

[spawn...@gmail.com]

Hi all,

You can use the following AuthenticationFilter to retrieve the user from the SSO Request Header (populated by the OpenAM J2EE Agent) and authenticate your user against Camunda authentication system :
https://gist.github.com/spawnrider/38827f5c2ce8a367f23d

Le mercredi 5 juin 2013 11:54:40 UTC+2, Thong Huynh Trung a écrit :

> Hi,
> I have a question regarding authentication mechanism of Camunda. Does Camunda have a practice for single sign on? The situation is that we are going to setup a Camunda application within an intranet (see picture). We will need to setup a single sign-on mechanism so that users do not have to login again to use Camunda. 
>
>
> So how does Camunda normally handle this kind of situation? 
>
>
>
>
>
>
>

[Ankit Bharti]

Hi Roman

Do we have any user management component with spring security in 7.3.0 CE ?
I was thinking of implementing something with OpenId SSO. 

[hie...@gmail.com]

Hi Denis,
I tried with your solution, but I couldnt start Tomcat, this is Err log:

19-Jan-2016 16:51:29.816 SEVERE [localhost-startStop-1] org.apache.catalina.startup.HostConfig.deployDirectory Error deploying web application directory /root/camunda/server/apache-tomcat-8.0.24/webapps/camunda
java.lang.IllegalStateException: ContainerBase.addChild: start: org.apache.catalina.LifecycleException: Failed to start component [StandardEngine[Catalina].StandardHost[localhost].StandardContext[/camunda]]
at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:729)
at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:701)
at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:717)
at org.apache.catalina.startup.HostConfig.deployDirectory(HostConfig.java:1101)
at org.apache.catalina.startup.HostConfig$DeployDirectory.run(HostConfig.java:1786)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471)
at java.util.concurrent.FutureTask.run(FutureTask.java:262)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:724)

Did I make some mistakes?

Thanks :)

[Denis Drouillet]

Hello,

I would like to help, but this error trace seems not complete. No "caused by" anywhere?

I have this IllegalStateException from time to time, when deploying-undeploying any application many times, ultimately caused, I guess, by an OutOfMemory exception. When facing this exception, I simply restart Tomcat.

One question: you're using Apache with Windows?

Denis.

--
You received this message because you are subscribed to a topic in the Google Groups "camunda BPM users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/camunda-bpm-users/c7zVqsiOCCI/unsubscribe.
To unsubscribe from this group and all its topics, send an email to camunda-bpm-us...@googlegroups.com.
To post to this group, send email to camunda-...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/camunda-bpm-users/d48d6bdd-abc1-4c9e-b86b-9ed1ead34b81%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

[Thuy Le]

Great!

Thank you for sharing your code. We tried, it works well now.

[Christian Lipphardt]

Hi,

You can add the Camunda Nexus to your maven pom.

    <repositories>
      <repository>
        <id>camunda-bpm-nexus</id>
        <name>camunda-bpm-nexus</name>
        <releases>
          <enabled>true</enabled>
        </releases>
        <snapshots>
          <enabled>true</enabled>
        </snapshots>
        <url>https://app.camunda.com/nexus/content/groups/public</url>
      </repository>
    </repositories>

See also [1] for the versions of the camunda-webapp artifact. We do not upload any WAR or distribution zip/tar.gz's to Maven Central.

Cheers,
Christian