Skip to main content
Version: latest


Operate provides three ways to authenticate:

  1. User information stored in Elasticsearch.
  2. Camunda Cloud single sign-on.
  3. Lightweight Directory Access Protocol (LDAP).
  4. IAM Authentication and Authorization

By default, user storage in Elasticsearch is enabled.

User in Elasticsearch#

In this mode, the user authenticates with a username and password stored in Elasticsearch.

The Userid , displayName, password, and roles for one user may be set in application.yml:

camunda.operate:  userId: anUserId  displayName: nameShownInWebpage  password: aPassword  roles:    - OWNER    - USER

Currently, only OWNER and/or USER roles are available.

Roles for users#

OWNERFull access
USERRead only access

On startup of Operate, the user is created if they did not exist before.

By default, two users are created:

  • Role OWNER with userId/displayName/password demo/demo/demo.
  • Role USER with userId/displayName/password view/view/view.

Add more users directly to Elasticsearch via the index operate-user-<version>_. The password must be encoded with a strong bcrypt hashing function.


Enable LDAP#

LDAP can only be enabled by setting the Spring profile: ldap-auth.

See the following example for setting the Spring profile as an environmental variable:


Configuration of LDAP#

A user can authenticate via LDAP.

The following parameters for connection to an LDAP server should be given:

Parameter nameDescriptionExampleRequired
camunda.operate.ldap.urlURL to an LDAP Serverldaps://
camunda.operate.ldap.baseDnBase domain namedc=camunda,dc=comYes
camunda.operate.ldap.managerDnManager domain used by Operate to log into LDAP server to retrieve user informationcn=admin,dc=camunda,dc=comYes
camunda.operate.ldap.managerPasswordPassword for managerYes
camunda.operate.ldap.userSearchFilterFilter to retrieve user info. The pattern '{0}' is replaced by the given username in the login form.{0}No, default is {0}
camunda.operate.ldap.userSearchBaseStarting point for searchou=Support,dc=camunda,dc=comNo

Configuration of active directory-based LDAP#

For an active directory-based LDAP server, the following parameters should be given:


The active directory configuration will only be applied when camunda.operate.ldap.domain is given.

Parameter nameDescriptionRequired
camunda.operate.ldap.urlURL to an active directory LDAP serverYes
camunda.operate.ldap.baseDnRoot domain nameNo
camunda.operate.ldap.userSearchFilterUsed as a search filterNo


IAM provides authentication and authorization functionality along with user management.

Enable IAM#

IAM can only be enabled by setting the Spring profile: iam-auth.

See the following example:


Configure IAM#

IAM requires the following parameters:

Parameter nameDescriptionExample value
camunda.operate.iam.issuerName/ID of issuerhttp://app.iam.localhost
camunda.operate.iam.issuerUrlUrl of issuer (IAM)http://app.iam.localhost
camunda.operate.iam.clientIdSimilar to a username for the applicationoperate
camunda.operate.iam.clientSecretSimilar to a password for the application.XALaRPl...s7dL7

We provide two different permissions over IAM: read or write. To configure the authorization, you are required to create two different permissions:

Permission valueDescription
read:*Grants the user the permission to access, view, and read the data in the application.
write:*Grants the user the permission to perform operations.

Note that the minimum permission needed is read:*. Any user without this permission will have access denied to the application.