Authentication
Introduction​
Operate provides three ways for authentication:
- Authenticate with user information stored in Elasticsearch
- Authenticate via Camunda Cloud Single Sign-On
- Authenticate via Lightweight Directory Access Protocol (LDAP)
By default user storage in Elasticsearch is enabled.
User in Elasticsearch​
In this mode the user authenticates with username and password, that are stored in Elasticsearch. username and password for one user may be set in application.yml:
camunda.operate:
username: anUser
password: aPassword
On Operate startup the user will be created if not existed before.
By default one user with username/password demo/demo will be created.
More users can be added directly to Elasticsearch, to the index operate-user-<version>_. Password must be encoded with BCrypt strong hashing function.
Camunda Cloud Single Sign-On​
Currently Operate supports Single Sign On in Camunda Cloud environment. Camunda Cloud takes care of the configuration of Operate for Single Sign On, so you don't need normally to adjust following subsections.
Enable Single Sign-On​
Single Sign-On may be enabled only by setting Spring profile: sso-auth
Example for setting spring profile as environmental variable:
export SPRING_PROFILES_ACTIVE=sso-auth
Configure Single Sign-On​
Single Sign-On needs following parameters (all are mandatory):
| Parametername | Description |
|---|---|
| camunda.operate.auth0.domain | Defines the domain which the user sees |
| camunda.operate.auth0.backendDomain | Defines the domain which provides user information |
| camunda.operate.auth0.clientId | It's like an user name for the application |
| camunda.operate.auth0.clientSecret | It's like a password for the application |
| camunda.operate.auth0.claimName | The claim that will be checked by Operate. It's like a permission name |
| camunda.operate.auth0.organization | The given organization should be contained in value of claim name |
Example for setting parameters as environment variables:
export CAMUNDA_OPERATE_AUTH0_DOMAIN=A_DOMAIN
export CAMUNDA_OPERATE_AUTH0_BACKENDDOMAIN=A_BACKEND_DDOMAIN
export CAMUNDA_OPERATE_AUTH0_CLIENTID=A_CLIENT_ID
export CAMUNDA_OPERATE_AUTH0_CLIENTSECRET=A_SECRET
export CAMUNDA_OPERATE_AUTH0_CLAIMNAME=A_CLAIM
export CAMUNDA_OPERATE_AUTH0_ORGANIZATION=AN_ORGANIZATION
LDAP​
Enable LDAP​
LDAP can be enabled only by setting Spring profile: ldap-auth
Example for setting spring profile as environmental variable:
export SPRING_PROFILES_ACTIVE=ldap-auth
Configuration of LDAP​
A user can authenticate via LDAP. Following parameters for a connection to a LDAP server should be given:
| Parametername | Description | Example | Required |
|---|---|---|---|
| camunda.operate.ldap.url | URL to a LDAP Server | ldaps://camunda.com/ | yes |
| camunda.operate.ldap.baseDn | Base domain name | dc=camunda,dc=com | yes |
| camunda.operate.ldap.managerDn | Manager domain, is used by Operate to login into LDAP Server to retrieve user informations | cn=admin,dc=camunda,dc=com | yes |
| camunda.operate.ldap.managerPassword | Password for manager | yes | |
| camunda.operate.ldap.userSearchFilter | Filter to retrieve user info, The pattern '{0}' will be replaced by given username in login form | {0} | no, Default is {0} |
| camunda.operate.ldap.userSearchBase | Starting point for search | ou=Support,dc=camunda,dc=com | no |
Configuration of Active Directory based LDAP​
For Active Directory based LDAP server following parameters should be given:
Note: Only when camunda.operate.ldap.domain is given, the Active Directory configuration will be applied.
| Parametername | Description | Required |
|---|---|---|
| camunda.operate.ldap.url | URL to a Active Directory LDAP Server | yes |
| camunda.operate.ldap.domain | Domain | yes |
| camunda.operate.ldap.baseDn | Root domain name | no |
| camunda.operate.ldap.userSearchFilter | Is used as search filter | no |