Switch branches/tags
Nothing to show
Find file History
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.


Camunda Optimize Keycloak SSO Example

This example demonstrates how you can enable SSO with Optimize and Keycloak.

The most important part from the Optimize perspective of this example is the custom Optimize SSO Plugin in: ./optimize/sso-keycloak-example-plugin/ To find out more about the Optimize SSO Plugin mechanism, find the docs here

It includes a docker-compose with:

  1. Camunda Optimize
  2. ElasticSearch
  3. Camunda BPM
  4. Keycloak Authentication Server
  5. Keycloak Proxy Server

The Keycloak Server has one user:


How to run?

Clone the Repo

Download and Configure Optimize

  1. Download Camunda Optimize to folder ./optimize/
  2. Rename to camunda-optimize.zip
  3. Place Optimize license in OptimizeLicense.txt
  4. Run mvn package in ./optimize/sso-keycloak-example-plugin

Run docker-compose

  1. Build all images with docker-compose build
  2. Login to private Camunda Docker EE Registry with docker login registry.camunda.cloud Use your EE LDAP credentials to log in.
  3. Start all images docker-compose up -d

Open Optimize

  1. Open WebBrowser
  2. Open localhost:8095
  3. Login with: demo:notdemo

Some more background

Keycloak is responsible for Authentication, so the users are stored in Keycloak and the Keycloak Proxy makes sure that only authenticated users can see Optimize.

In the Optimize Plugin we only read the authenticated user from the request header. If the user is in the request, we authenticate the user directly in Optimize.

Show me some some code

package com.camunda.optimize.plugin.sso;

import java.util.Enumeration;

import javax.servlet.http.HttpServletRequest;

import org.camunda.optimize.plugin.security.authentication.AuthenticationExtractor;
import org.camunda.optimize.plugin.security.authentication.AuthenticationResult;

import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

public class KeycloakAuthenticationProvider implements AuthenticationExtractor {

	private Logger logger = LoggerFactory.getLogger(getClass());

	public AuthenticationResult extractAuthenticatedUser(HttpServletRequest request) {
		AuthenticationResult result = new AuthenticationResult();
		String user = request.getHeader("KEYCLOAK_USERNAME");

		if (user == null || user.isEmpty()) {
			logger.info("Did not find user.");
			return result;
		} else {
			logger.info("User logged info", user);
			return result;