Skip to main content
Version: 0.25

Authentication

Introduction#

Operate provides three ways for authentication:

  1. Authenticate with user information stored in Elasticsearch
  2. Authenticate via Auth0 Single Sign-On provider
  3. Authenticate via Lightweight Directory Access Protocol (LDAP)

By default user storage in Elasticsearch is enabled.

User in Elasticsearch#

In this mode the user authenticates with username and password, that are stored in Elasticsearch. username and password for one user may be set in application.yml:

camunda.operate:  username: anUser  password: aPassword

On Operate startup the user will be created if not existed before.

By default one user with username/password demo/demo will be created.

More users can be added directly to Elasticsearch, to the index operate-user-<version>_. Password must be encoded with BCrypt strong hashing function.

Auth0 Single Sign-On#

Currently Operate supports Auth0.com implementation of Single Sign-On.

Enable Single Sign-On#

Single Sign-On may be enabled only by setting Spring profile: sso-auth

Example for setting spring profile as environmental variable:

export SPRING_PROFILES_ACTIVE=sso-auth

Configure Single Sign-On#

Single Sign-On needs following parameters (all are mandatory):

ParameternameDescription
camunda.operate.auth0.domainDefines the domain which the user sees
camunda.operate.auth0.backendDomainDefines the domain which provides user information
camunda.operate.auth0.clientIdIt's like an user name for the application
camunda.operate.auth0.clientSecretIt's like a password for the application
camunda.operate.auth0.claimNameThe claim that will be checked by Operate. It's like a permission name
camunda.operate.auth0.organizationThe given organization should be contained in value of claim name

Example for setting parameters as environment variables:

export CAMUNDA_OPERATE_AUTH0_DOMAIN=A_DOMAINexport CAMUNDA_OPERATE_AUTH0_BACKENDDOMAIN=A_BACKEND_DDOMAINexport CAMUNDA_OPERATE_AUTH0_CLIENTID=A_CLIENT_IDexport CAMUNDA_OPERATE_AUTH0_CLIENTSECRET=A_SECRETexport CAMUNDA_OPERATE_AUTH0_CLAIMNAME=A_CLAIMexport CAMUNDA_OPERATE_AUTH0_ORGANIZATION=AN_ORGANIZATION

LDAP#

Enable LDAP#

LDAP can be enabled only by setting Spring profile: ldap-auth

Example for setting spring profile as environmental variable:

export SPRING_PROFILES_ACTIVE=ldap-auth

Configuration of LDAP#

A user can authenticate via LDAP. Following parameters for a connection to a LDAP server should be given:

ParameternameDescriptionExampleRequired
camunda.operate.ldap.urlURL to a LDAP Serverldaps://camunda.com/yes
camunda.operate.ldap.baseDnBase domain namedc=camunda,dc=comyes
camunda.operate.ldap.managerDnManager domain, is used by Operate to login into LDAP Server to retrieve user informationscn=admin,dc=camunda,dc=comyes
camunda.operate.ldap.managerPasswordPassword for manageryes
camunda.operate.ldap.userSearchFilterFilter to retrieve user info, The pattern '{0}' will be replaced by given username in login form{0}no, Default is {0}
camunda.operate.ldap.userSearchBaseStarting point for searchou=Support,dc=camunda,dc=comno

Configuration of Active Directory based LDAP#

For Active Directory based LDAP server following parameters should be given:

Note: Only when camunda.operate.ldap.domain is given, the Active Directory configuration will be applied.

ParameternameDescriptionRequired
camunda.operate.ldap.urlURL to a Active Directory LDAP Serveryes
camunda.operate.ldap.domainDomainyes
camunda.operate.ldap.baseDnRoot domain nameno
camunda.operate.ldap.userSearchFilterIs used as search filterno