Authentication
Tasklist provides two ways to authenticate:
- User information stored in Elasticsearch
- Camunda Cloud Single Sign-On
By default, user storage in Elasticsearch is enabled.
User in Elasticsearch​
In this mode, the user authenticates with a username and password stored in Elasticsearch.
The username and password for one user may be set in application.yml:
camunda.tasklist:
username: anUser
password: aPassword
On Tasklist startup, the user is created if they did not exist before.
By default, one user with username/password demo
/demo
is created.
More users can be added directly to Elasticsearch, to the index tasklist-user-<version>_
. The password must be encoded with a strong BCrypt hashing function.
Camunda Cloud Single Sign-On​
Currently, Tasklist supports Single Sign-On (SSO) in the Camunda Cloud environment. Camunda Cloud handles the configuration of Tasklist for SSO, so normally you don't need to adjust the following subsections.
Enable Single Sign-On​
SSO may be enabled only by setting the Spring profile: sso-auth
.
See the following example to set your Spring profile as an environmental variable:
export SPRING_PROFILES_ACTIVE=sso-auth
Configure Single Sign-On​
SSO requires the following parameters:
Parametername | Description |
---|---|
camunda.tasklist.auth0.domain | Defines the domain the user sees. |
camunda.tasklist.auth0.backendDomain | Defines the domain which provides user information. |
camunda.tasklist.auth0.clientId | Similar to a username for the application. |
camunda.tasklist.auth0.clientSecret | Similar to a password for the application. |
camunda.tasklist.auth0.claimName | The claim checked by Tasklist. Similar to a permission name. |
camunda.tasklist.auth0.organization | The given organization should be contained in the value of the claim name. |
See the following example for setting parameters as environment variables:
export CAMUNDA_TASKLIST_AUTH0_DOMAIN=A_DOMAIN
export CAMUNDA_TASKLIST_AUTH0_BACKENDDOMAIN=A_BACKEND_DDOMAIN
export CAMUNDA_TASKLIST_AUTH0_CLIENTID=A_CLIENT_ID
export CAMUNDA_TASKLIST_AUTH0_CLIENTSECRET=A_SECRET
export CAMUNDA_TASKLIST_AUTH0_CLAIMNAME=A_CLAIM
export CAMUNDA_TASKLIST_AUTH0_ORGANIZATION=AN_ORGANIZATION