Skip to main content
Version: 8.8 (unreleased)

Connect Management Identity to an identity provider

Connect Management Identity to an OpenID Connect (OIDC) authentication provider for integration with your existing system.

note

Prerequisites

  • Information about your OIDC provider's configuration, including the issuer URL.
  • Ability to create applications in your OIDC provider.
  • Ability to access the following information about the applications you have created in your OIDC provider:
    • Client ID
    • Client secrets
    • Audience
  • A claim name and value to use for initial access.
note

The steps below are a general approach for the Camunda components; it is important you reference the component-specific configuration to ensure the components are configured correctly.

Configuration

Steps

  1. Identify what management and modeling components you need to use in Camunda 8: Web Modeler, Console, Optimize.
  2. In your OIDC provider, create an application for each of the management and modeling components you want to connect. Web Modeler requires two applications: one for the UI, and one for the API.
    • The expected redirect URI of the component you are configuring an app for can be found in component-specific configuration.
      note

      Redirect URIs serve as an approved list of destinations across identity providers. Only the URLs specified in the redirect URIs configuration will be permitted as valid redirection targets for authentication responses. This security measure ensures that tokens and authorization codes are only sent to pre-approved locations, preventing potential unauthorized access or token theft.

  3. For each management and modeling components, ensure the appropriate application type is used:
    • Web applications requiring confidential access/a confidential client:
      • Optimize
      • Management Identity
      • Web Modeler API
    • Web applications requiring confidential access/a confidential client:
      • Console
      • Web Modeler UI
  4. Make a note of the following values for each application you create:
    • Client ID
    • Client secret
    • Audience
  5. Set the following environment variables or Helm values for the component you are configuring an app for:
note

You can connect to your OIDC provider through either environment variables or Helm values. Ensure only one configuration option is used.

   CAMUNDA_IDENTITY_TYPE=GENERIC
CAMUNDA_IDENTITY_BASE_URL=<IDENTITY_URL>
CAMUNDA_IDENTITY_ISSUER=<URL_OF_ISSUER>
CAMUNDA_IDENTITY_ISSUER_BACKEND_URL=<URL_OF_ISSUER> // this is used for container to container communication
CAMUNDA_IDENTITY_CLIENT_ID=<Client ID from Step 3>
CAMUNDA_IDENTITY_CLIENT_SECRET=<Client secret from Step 3>
CAMUNDA_IDENTITY_AUDIENCE=<Audience from Step 3>
IDENTITY_INITIAL_CLAIM_NAME=<Initial claim name if not using the default "oid">
IDENTITY_INITIAL_CLAIM_VALUE=<Initial claim value>
SPRING_PROFILES_ACTIVE=oidc
note

Once set, you cannot update your initial claim name and value using environment variables or Helm values. You must change these values directly in the database.

Additional considerations

For authentication, the Camunda components use the scopes email, openid, offline_access, and profile.

Component-specific configuration

ComponentRedirect URINotes/Limitations
Management IdentityMicrosoft Entra ID:
https://<IDENTITY_URL>/auth/login-callback

Helm:
https://<IDENTITY_URL>
OptimizeMicrosoft Entra ID:
https://<OPTIMIZE_URL>/api/authentication/callback

Helm:
https://<OPTIMIZE_URL>
There is a fallback if you use the existing environment variables to configure your authentication provider. If you use a custom yaml, update your properties to match the new values in this guide.

When using an OIDC provider, the following Optimize features are not currently available:
- The User permissions tab in collections
- The Alerts tab in collections
- Digests
- Accessible usernames for owners of resources (the sub claim value is displayed instead).
Web ModelerMicrosoft Entra ID:
https://<WEB_MODELER_URL>/login-callback

Helm:
https://<WEB_MODELER_URL>
Web Modeler requires two clients: one for the UI, and one for the API.

Required configuration variables for the webapp component:
OAUTH2_CLIENT_ID=[ui-client-id]
OAUTH2_JWKS_URL=[provider-jwks-url]
OAUTH2_TOKEN_AUDIENCE=[ui-audience]
OAUTH2_TOKEN_ISSUER=[provider-issuer]
OAUTH2_TYPE=[provider-type]

Required configuration variables for the restapi component:
CAMUNDA_IDENTITY_BASEURL=[identity-base-url]
CAMUNDA_IDENTITY_TYPE=[provider-type]
CAMUNDA_MODELER_SECURITY_JWT_AUDIENCE_INTERNAL_API=[ui-audience]
CAMUNDA_MODELER_SECURITY_JWT_AUDIENCE_PUBLIC_API=[api-audience]
SPRING_SECURITY_OAUTH2_RESOURCESERVER_JWT_ISSUER_URI=[provider-issuer].
ConsoleMicrosoft Entra ID:
https://<CONSOLE_URL>

Helm:
https://<CONSOLE_URL>
ConnectorsConnectors act as a client in the OIDC flow.

For outbound-only mode (when CAMUNDA_CONNECTOR_POLLING_ENABLED is false), only Zeebe client properties are required:
ZEEBE_CLIENT_ID=[client-id]
ZEEBE_CLIENT_SECRET=[client-secret]
ZEEBE_AUTHORIZATION_SERVER_URL=[provider-issuer]
ZEEBE_TOKEN_AUDIENCE=[Zeebe audience]
ZEEBE_TOKEN_SCOPE=[Zeebe scope] (optional)

For inbound mode, Operate client properties are required:
CAMUNDA_IDENTITY_TYPE=[provider-type]
CAMUNDA_IDENTITY_AUDIENCE=[Operate audience]
CAMUNDA_IDENTITY_CLIENT_ID=[client-id]
CAMUNDA_IDENTITY_CLIENT_SECRET=[client-secret]
CAMUNDA_IDENTITY_ISSUER_BACKEND_URL=[provider-issuer]

Supported and unsupported OIDC features

When using Management Identity with an OIDC provider, not all features of authentication and authorization are available. The following table lists OIDC supported and unsupported features.

Feature nameDescriptionAvailability
Single sign-on (SSO)Redirects users to the identity provider for authentication, and enables seamless login across applications.

Zeebe, Operate, Tasklist, Optimize, Identity, and Connectors use an identity provider-issued JWT. Web Modeler and Console use PCKE (Proof Key for Code Exchange) to connect to the Camunda Identity service.
Available
Authentication flows (Authorization code flow with PKCE)Securely handles user login using the recommended authorization code flow with PKCE (Proof Key for Code Exchange) for security.

Web Modeler and Console use PCKE, but do not directly connect to the identity provider with OIDC. Web Modeler and Console use PCKE to connect to the Camunda Identity service.
Unavailable
ID token handlingValidates and extracts user identity details from the ID token after authentication.Available
Access token managementUses access tokens issued by the identity provider to securely access protected APIs.Available
Session managementEnsures users remain logged in across sessions and applications or automatically re-authenticate when needed.Available
Logout handling (RP-initiated logout)Triggers user logout from the application and notifies the identity provider to sign out users across all connected systems.Available
Role and group synchronizationMaps user roles and permissions from the identity provider into the client application for access control.Unavailable
User profile managementFetches user details from the UserInfo endpoint after authentication to personalize the user experience.Unavailable

To request a missing feature, please contact us.