The UI apps use another interface called RemoteIdmService in the flowable-ui-common package. So the standard implementation will do REST calls to the idm UI app.
There are two scenarios:
-
If you want to merely get users and groups from an external IDM, but still use the flowable IDM app for login. Then you can replace the RemoteIdmService implementation with your own. You’d need a way to let spring know which one to use as this is done in Java config and so not so easy to swap out another class as xml conf. I am using @Profile to achieve this currently to minimize changes to flowable code base.
-
If you want to replace the IDM app entirely, as in use your IDM for logging in to the modeler app, then there is more involved and it is not very pluggable. You have to replace the SecurityConfiguration in flowable-ui-modeler with your own. This also involves either returning a Principal of type FlowableAppUser from your spring security auth service or editing SecurityUtils to convert your Principal object into FlowableAppUser. I assued @Profile again to make it somewhat pluggable for myself.
And there are posts on the topic, but there was no substitute for diving deeply into the code:
https://forum.flowable.org/search?q=RemoteIdmService
I have an open question on whether the @Profile approach could perhaps be incorporated: