Configure an external IdP using Keycloak

Configure an external identity provider (IdP) using Keycloak, such as OpenID Connect, SAML, LDAP, or Active Directory.

note

The Identity interface does not support configuring external IdPs. You can configure an external IdP directly in the Keycloak Administrator Console.

Configure an external IdP using Keycloak

To configure an external IdP using Keycloak:

1. Log in to the Keycloak Administrator Console. Open the URL you have configured for Keycloak in your browser.

   tip

   When using the example Docker Compose setup, Keycloak is available at http://localhost:18080/.

2. Click Administrator Console and log in using the Keycloak administrator credentials.

   • The default administrator username is admin.

   • When deploying Camunda 8 with Helm charts, you can extract the password as detailed in secrets extraction.

   • Using the example Docker Compose setup, the password is set via KEYCLOAK_ADMIN_PASSWORD environment variable and is admin per default.

3. Select the realm you are using with Camunda 8. By default, this is Camunda-platform.

4. Add an identity provider using either of the following methods:

   • To add an OpenID Connect or SAML provider, select Identity Providers in the main menu, click Add provider..., and enter all the required configuration settings.
   • To connect to your LDAP, Active Directory, or Kerberos server, select User Federation in the main menu, click Add provider..., and fill in all required configuration settings.

tip

Keycloak supports a wide variety of authentication options, such as mapping external user groups, roles, or scopes to internal roles, and configuring the login screen and flow when multiple providers are added.

Visit the Keycloak documentation for your version of Keycloak for details on adding a provider, configuring authentication, and integrating identity providers.