Skip to main content

Authentication

Operate provides three ways to authenticate:

  1. User information stored in Elasticsearch.
  2. Camunda Cloud single sign-on.
  3. Lightweight Directory Access Protocol (LDAP).

By default, user storage in Elasticsearch is enabled.

User in Elasticsearch​

In this mode, the user authenticates with a username and password stored in Elasticsearch.

The Username and password for one user may be set in application.yml:

camunda.operate:
username: anUser
password: aPassword

On startup of Operate, the user is created if they did not exist before.

By default, one user with username/password demo/demo is created.

Add more users directly to Elasticsearch via the index operate-user-<version>_. The password must be encoded with a strong bcrypt hashing function.

Camunda Cloud single sign-on​

Currently, Operate supports single sign-on (SSO) in the Camunda Cloud environment. Camunda Cloud handles the configuration of Operate for SSO, so you don't need to normally adjust the following subsections.

Enable SSO​

SSO can only be enabled by setting the Spring profile: sso-auth.

See the following example:

export SPRING_PROFILES_ACTIVE=sso-auth

Configure SSO​

SSO requires the following parameters:

Parameter nameDescription
camunda.operate.auth0.domainDefines the domain the user sees.
camunda.operate.auth0.backendDomainDefines the domain which provides user information.
camunda.operate.auth0.clientIdSimilar to a username for the application.
camunda.operate.auth0.clientSecretSimilar to a password for the application.
camunda.operate.auth0.claimNameThe claim checked by Operate. Similar to a permission name.
camunda.operate.auth0.organizationThe given organization should be contained in the value of the claim name.

See the following example for setting parameters as environment variables:

export CAMUNDA_OPERATE_AUTH0_DOMAIN=A_DOMAIN
export CAMUNDA_OPERATE_AUTH0_BACKENDDOMAIN=A_BACKEND_DDOMAIN
export CAMUNDA_OPERATE_AUTH0_CLIENTID=A_CLIENT_ID
export CAMUNDA_OPERATE_AUTH0_CLIENTSECRET=A_SECRET
export CAMUNDA_OPERATE_AUTH0_CLAIMNAME=A_CLAIM
export CAMUNDA_OPERATE_AUTH0_ORGANIZATION=AN_ORGANIZATION

LDAP​

Enable LDAP​

LDAP can only be enabled by setting the Spring profile: ldap-auth.

See the following example for setting the Spring profile as an environmental variable:

export SPRING_PROFILES_ACTIVE=ldap-auth

Configuration of LDAP​

A user can authenticate via LDAP.

The following parameters for connection to an LDAP server should be given:

Parameter nameDescriptionExampleRequired
camunda.operate.ldap.urlURL to an LDAP Serverldaps://camunda.com/Yes
camunda.operate.ldap.baseDnBase domain namedc=camunda,dc=comYes
camunda.operate.ldap.managerDnManager domain used by Operate to log into LDAP server to retrieve user informationcn=admin,dc=camunda,dc=comYes
camunda.operate.ldap.managerPasswordPassword for managerYes
camunda.operate.ldap.userSearchFilterFilter to retrieve user info. The pattern '{0}' is replaced by the given username in the login form.{0}No, default is {0}
camunda.operate.ldap.userSearchBaseStarting point for searchou=Support,dc=camunda,dc=comNo

Configuration of active directory-based LDAP​

For an active directory-based LDAP server, the following parameters should be given:

note

The active directory configuration will only be applied when camunda.operate.ldap.domain is given.

Parameter nameDescriptionRequired
camunda.operate.ldap.urlURL to an active directory LDAP serverYes
camunda.operate.ldap.domainDomainYes
camunda.operate.ldap.baseDnRoot domain nameNo
camunda.operate.ldap.userSearchFilterUsed as a search filterNo