Skip to main content
Version: 1.1


Tasklist provides two ways to authenticate:

  1. User information stored in Elasticsearch
  2. Camunda Cloud Single Sign-On

By default, user storage in Elasticsearch is enabled.

User in Elasticsearch#

In this mode, the user authenticates with a username and password stored in Elasticsearch.

The username and password for one user may be set in application.yml:

camunda.tasklist:  username: anUser  password: aPassword

On Tasklist startup, the user is created if they did not exist before.

By default, one user with username/password demo/demo is created.

More users can be added directly to Elasticsearch, to the index tasklist-user-<version>_. The password must be encoded with a strong BCrypt hashing function.

Camunda Cloud Single Sign-On#

Currently, Tasklist supports Single Sign-On (SSO) in the Camunda Cloud environment. Camunda Cloud handles the configuration of Tasklist for SSO, so normally you don't need to adjust the following subsections.

Enable Single Sign-On#

SSO may be enabled only by setting the Spring profile: sso-auth.

See the following example to set your Spring profile as an environmental variable:


Configure Single Sign-On#

SSO requires the following parameters:

camunda.tasklist.auth0.domainDefines the domain the user sees.
camunda.tasklist.auth0.backendDomainDefines the domain which provides user information.
camunda.tasklist.auth0.clientIdSimilar to a username for the application.
camunda.tasklist.auth0.clientSecretSimilar to a password for the application.
camunda.tasklist.auth0.claimNameThe claim checked by Tasklist. Similar to a permission name.
camunda.tasklist.auth0.organizationThe given organization should be contained in the value of the claim name.

See the following example for setting parameters as environment variables: