Skip to main content
Version: latest


Tasklist provides two ways to authenticate:

  1. User information stored in Elasticsearch
  2. Camunda Cloud Single Sign-On

By default, user storage in Elasticsearch is enabled.

User in Elasticsearch#

In this mode, the user authenticates with a username and password stored in Elasticsearch.

The username, password and roles for one user may be set in application.yml:

camunda.tasklist:  username: anUser  password: aPassword  roles:    - OWNER    - OPERATOR

On Tasklist startup, the user is created if they did not exist before.

By default, two users are created:

  • Role OWNER with userId/displayName/password demo/demo/demo.
  • Role USER with userId/displayName/password view/view/view.

More users can be added directly to Elasticsearch, to the index tasklist-user-<version>_. The password must be encoded with a strong BCrypt hashing function.


IAM provides authentication and authorization functionality along with user management.

Enable IAM#

IAM can only be enabled by setting the Spring profile: iam-auth.

See the following example:


Configure IAM#

IAM requires the following parameters:

Parameter nameDescriptionExample value
camunda.tasklist.iam.issuerName/ID of issuerhttp://app.iam.localhost
camunda.tasklist.iam.issuerUrlUrl of issuer (IAM)http://app.iam.localhost
camunda.tasklist.iam.clientIdSimilar to a username for the applicationtasklist
camunda.tasklist.iam.clientSecretSimilar to a password for the application.XALaRPl...s7dL7

We provide two different permissions over IAM: read or write. To configure the authorization, you are required to create two different permissions:

Permission valueDescription
read:*Grants the user the permission to access, view, and read the data in the application.
write:*Grants the user the permission to perform operations.

Note that the minimum permission needed is read:*. Any user without this permission will have access denied.