From 84625573154317e3c5ede4ca0a56cc3b62a10657 Mon Sep 17 00:00:00 2001 From: Balazs Kenez <96087935+bkenez@users.noreply.github.com> Date: Mon, 1 Dec 2025 10:45:28 +0100 Subject: [PATCH 01/11] feat(8.9): add IdP via internal keycloak doc --- .../external-idp-via-internal-keycloak.md | 164 ++++++++++++++++++ .../authentication-and-authorization/index.md | 12 +- .../react-components/_card-data.js | 7 + sidebars.js | 1 + 4 files changed, 179 insertions(+), 5 deletions(-) create mode 100644 docs/self-managed/deployment/helm/configure/authentication-and-authorization/external-idp-via-internal-keycloak.md diff --git a/docs/self-managed/deployment/helm/configure/authentication-and-authorization/external-idp-via-internal-keycloak.md b/docs/self-managed/deployment/helm/configure/authentication-and-authorization/external-idp-via-internal-keycloak.md new file mode 100644 index 00000000000..8c71aeba30c --- /dev/null +++ b/docs/self-managed/deployment/helm/configure/authentication-and-authorization/external-idp-via-internal-keycloak.md @@ -0,0 +1,164 @@ +--- +id: external-idp-via-internal-keycloak +sidebar_label: External IdP via Internal Keycloak +title: Set up the Helm chart with an external IdP through the internal Keycloak +description: Learn how to configure an external identity provider to authenticate users while using the internal Keycloak as an identity broker. +--- + +This guide shows you how to configure the internal Keycloak instance to act as an identity broker, delegating authentication to an external identity provider (IdP) such as a corporate OIDC provider, SAML, LDAP, or Active Directory. + +This setup allows you to: + +- Use your organization's existing identity provider for user authentication +- Retain the internal Keycloak for Camunda's OIDC integration +- Manage user authorization through Camunda's identity systems + +## Prerequisites + +- A Camunda 8 deployment with internal Keycloak enabled. See [Set up the Helm chart with the internal Keycloak instance](/self-managed/deployment/helm/configure/authentication-and-authorization/internal-keycloak.md). +- Access to your external IdP's configuration (client credentials, endpoints, etc.) + +## Configure the external identity provider + +Complete the following steps to integrate your external IdP: + +1. [Add your external IdP to Keycloak](#add-your-external-idp-to-keycloak) +1. [Configure identity provider mappers](#configure-identity-provider-mappers) +1. [Configure Orchestration Cluster Identity](#configure-orchestration-cluster-identity) +1. [Configure Management Identity access](#configure-management-identity-access-optional) (optional) + +### Add your external IdP to Keycloak + +Configure Keycloak to use your external identity provider by following the [Configure an external IdP using Keycloak](/self-managed/components/management-identity/configuration/configure-external-identity-provider.md) guide. + +### Configure identity provider mappers + +After adding the identity provider, configure mappers to import user attributes and assign users to a group for authorization. + +:::tip +For details on Keycloak identity provider mappers, see the [Keycloak documentation on identity broker mappers](https://www.keycloak.org/docs/latest/server_admin/index.html#_mappers). +::: + +#### Create attribute mappers + +In Keycloak Admin Console, navigate to **Identity Providers** → select your IdP → **Mappers** tab. + +Create attribute mappers to import user profile information: + +| Name | Mapper Type | Claim | User Attribute | +| ----------- | ------------------ | ------------- | -------------- | +| `email` | Attribute Importer | `email` | `email` | +| `firstName` | Attribute Importer | `given_name` | `firstName` | +| `lastName` | Attribute Importer | `family_name` | `lastName` | + +#### Create username mapper + +Create a username mapper: + +- **Mapper Type**: Username Template Importer +- **Template**: `${CLAIM.preferred_username}` + +#### Create group for external IdP users + +Navigate to **Groups** → **Create group** and create a group: + +- **Name**: `external-idp-users` + +#### Assign users to the group + +Create a mapper to assign federated users to this group: + +- **Name**: `assign-external-idp-group` +- **Mapper Type**: Hardcoded Group +- **Group**: `external-idp-users` + +### Configure Orchestration Cluster Identity + +External IdP users can now authenticate, but require authorization to access Camunda components. + +Log in to **Orchestration Cluster Identity** as an administrator. + +#### Create a mapping rule + +Create a mapping rule to identify external IdP users: + +1. Navigate to **Mapping Rules** → **Create a mapping rule**. +1. Configure the mapping rule: + - **Mapping Rule ID**: `external-idp-users-rule` + - **Mapping Rule name**: `External IdP Users` + - **Claim name**: `groups` + - **Claim value**: `external-idp-users` + +#### Grant component access + +Grant access to Orchestration Cluster components: + +1. Navigate to **Authorizations** → select **Component** → **Create authorization**. +1. Configure the authorization: + - **Owner type**: `Mapping rule` + - **Owner ID**: `external-idp-users-rule` + - **Resource ID**: `*` + - **Permissions**: `ACCESS` + +#### Grant additional permissions (optional) + +Grant additional permissions as needed. For example, to allow users to view processes and complete tasks: + +| Resource Type | Resource ID | Permissions | +| ------------------ | ----------- | -------------------------------------------------------------------- | +| Process Definition | `*` | `READ_PROCESS_DEFINITION`, `READ_PROCESS_INSTANCE`, `READ_USER_TASK` | +| Process Definition | `*` | `UPDATE_USER_TASK` | + +:::info +For more details on authorizations, see [Orchestration Cluster authorization](/components/concepts/access-control/authorizations.md). +::: + +### Configure Management Identity access (optional) + +For access to Console, Web Modeler, and Optimize, external IdP users need the corresponding realm roles assigned in Keycloak. The recommended approach is to assign users to groups that have these roles. + +#### Verify or create groups + +1. In Keycloak Admin Console, navigate to **Groups**. +1. Verify that groups exist for each component (e.g., `Console`, `Optimize`, `Web Modeler`). If not, create them. + +#### Assign roles to groups + +Ensure each group has the corresponding realm role assigned: + +1. Select the group → **Role Mappings** tab. +1. Click **Assign role** and add the role with the same name (e.g., `Console`). + +#### Create group mappers + +Create mappers to assign federated users to these groups: + +1. Navigate to **Identity Providers** → select your IdP → **Mappers** tab. +1. Click **Add mapper** for each component: + +| Mapper Name | Mapper Type | Group | +| ------------------------- | --------------- | ------------- | +| `assign-console-group` | Hardcoded Group | `Console` | +| `assign-optimize-group` | Hardcoded Group | `Optimize` | +| `assign-webmodeler-group` | Hardcoded Group | `Web Modeler` | + +:::tip +You can also assign roles directly to users in Keycloak, or use [mapping rules in Management Identity](/self-managed/components/management-identity/mapping-rules.md) to map token claims to roles. +::: + +## Understanding the two identity systems + +Camunda 8.8 uses two separate identity systems: + +| System | Components | Configuration Method | +| ------------------------------ | ------------------------------------ | -------------------------------- | +| Orchestration Cluster Identity | Operate, Tasklist, Identity UI, APIs | Mapping rules and authorizations | +| Management Identity | Console, Web Modeler, Optimize | Keycloak groups and roles | + +Orchestration Cluster Identity does not automatically recognize Keycloak groups. You must create mapping rules that match JWT claims and then assign authorizations to those mapping rules. + +## Next steps + +- To learn more about mapping rules, see [Mapping rules](/components/concepts/access-control/mapping-rules.md). +- To configure additional authorizations, see [Orchestration Cluster authorization](/components/concepts/access-control/authorizations.md). +- To use an external IdP without the internal Keycloak, see [Set up the Helm chart with an external OIDC provider](/self-managed/deployment/helm/configure/authentication-and-authorization/external-oidc-provider.md). diff --git a/docs/self-managed/deployment/helm/configure/authentication-and-authorization/index.md b/docs/self-managed/deployment/helm/configure/authentication-and-authorization/index.md index df16c5ce037..6801f983730 100644 --- a/docs/self-managed/deployment/helm/configure/authentication-and-authorization/index.md +++ b/docs/self-managed/deployment/helm/configure/authentication-and-authorization/index.md @@ -12,11 +12,12 @@ By default, Camunda uses basic authentication with predefined demo users. Altern ### Authentication options -| Method | Description | Recommended for | -| ----------------------------------------------------- | --------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------- | -| [Basic authentication](./basic-authentication.md) | Default authentication with preconfigured demo users. No external identity provider (IdP) required. | Local development and testing, as well as smaller scale production setups | -| [Internal Keycloak](./internal-keycloak.md) | Deploys a Keycloak pod with the Helm release, preconfigured by Management Identity. | Small teams or self-contained environments | -| [External OIDC provider](./external-oidc-provider.md) | Integrates Camunda with external IdPs such as Microsoft Entra ID or Okta via OpenID Connect. | Existing enterprise identity infrastructure | +| Method | Description | Recommended for | +| ----------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------- | +| [Basic authentication](./basic-authentication.md) | Default authentication with preconfigured demo users. No external identity provider (IdP) required. | Local development and testing, as well as smaller scale production setups | +| [Internal Keycloak](./internal-keycloak.md) | Deploys a Keycloak pod with the Helm release, preconfigured by Management Identity. | Small teams or self-contained environments | +| [External IdP via Internal Keycloak](./external-idp-via-internal-keycloak.md) | Uses internal Keycloak as identity broker, delegating to external IdPs like SAML, LDAP, or AD. | Organizations with existing identity infrastructure wanting Keycloak benefits | +| [External OIDC provider](./external-oidc-provider.md) | Integrates Camunda with external IdPs such as Microsoft Entra ID or Okta via OpenID Connect. | Existing enterprise identity infrastructure | ### Limitations of OIDC setups @@ -27,6 +28,7 @@ front channel single sign out is not supported. This means that when a user logs - [Basic authentication guide](./basic-authentication.md) - [Internal Keycloak guide](./internal-keycloak.md) +- [External IdP via Internal Keycloak guide](./external-idp-via-internal-keycloak.md) - [External Keycloak guide](./external-keycloak.md) - [Microsoft Entra guide](./microsoft-entra.md) - [Generic OIDC provider](./generic-oidc-provider.md) diff --git a/docs/self-managed/deployment/helm/configure/authentication-and-authorization/react-components/_card-data.js b/docs/self-managed/deployment/helm/configure/authentication-and-authorization/react-components/_card-data.js index eac1aa9c339..fdfbfe99306 100644 --- a/docs/self-managed/deployment/helm/configure/authentication-and-authorization/react-components/_card-data.js +++ b/docs/self-managed/deployment/helm/configure/authentication-and-authorization/react-components/_card-data.js @@ -7,6 +7,13 @@ import IconGear from "../../../../../../components/assets/icon-orchcluster.png"; // Backup and Restore overview cards data export const overviewCards = [ + { + link: "../external-idp-via-internal-keycloak", + title: "External IdP via Internal Keycloak", + image: IconGear, + description: + "Use internal Keycloak as identity broker, delegating authentication to external IdPs like SAML, LDAP, or Active Directory.", + }, { link: "../external-keycloak", title: "External Keycloak", diff --git a/sidebars.js b/sidebars.js index d629166c2c3..7f0530174cb 100644 --- a/sidebars.js +++ b/sidebars.js @@ -1489,6 +1489,7 @@ module.exports = { id: "self-managed/deployment/helm/configure/authentication-and-authorization/external-oidc-provider", }, items: [ + "self-managed/deployment/helm/configure/authentication-and-authorization/external-idp-via-internal-keycloak", "self-managed/deployment/helm/configure/authentication-and-authorization/external-keycloak", "self-managed/deployment/helm/configure/authentication-and-authorization/microsoft-entra", "self-managed/deployment/helm/configure/authentication-and-authorization/generic-oidc-provider", From e52210c7a373b44d1c752424500c3dbab7abb18b Mon Sep 17 00:00:00 2001 From: Balazs Kenez <96087935+bkenez@users.noreply.github.com> Date: Mon, 1 Dec 2025 10:45:50 +0100 Subject: [PATCH 02/11] feat(8.8): add IdP via internal keycloak doc --- .../external-idp-via-internal-keycloak.md | 164 ++++++++++++++++++ .../authentication-and-authorization/index.md | 12 +- .../react-components/_card-data.js | 7 + versioned_sidebars/version-8.8-sidebars.json | 1 + 4 files changed, 179 insertions(+), 5 deletions(-) create mode 100644 versioned_docs/version-8.8/self-managed/deployment/helm/configure/authentication-and-authorization/external-idp-via-internal-keycloak.md diff --git a/versioned_docs/version-8.8/self-managed/deployment/helm/configure/authentication-and-authorization/external-idp-via-internal-keycloak.md b/versioned_docs/version-8.8/self-managed/deployment/helm/configure/authentication-and-authorization/external-idp-via-internal-keycloak.md new file mode 100644 index 00000000000..8c71aeba30c --- /dev/null +++ b/versioned_docs/version-8.8/self-managed/deployment/helm/configure/authentication-and-authorization/external-idp-via-internal-keycloak.md @@ -0,0 +1,164 @@ +--- +id: external-idp-via-internal-keycloak +sidebar_label: External IdP via Internal Keycloak +title: Set up the Helm chart with an external IdP through the internal Keycloak +description: Learn how to configure an external identity provider to authenticate users while using the internal Keycloak as an identity broker. +--- + +This guide shows you how to configure the internal Keycloak instance to act as an identity broker, delegating authentication to an external identity provider (IdP) such as a corporate OIDC provider, SAML, LDAP, or Active Directory. + +This setup allows you to: + +- Use your organization's existing identity provider for user authentication +- Retain the internal Keycloak for Camunda's OIDC integration +- Manage user authorization through Camunda's identity systems + +## Prerequisites + +- A Camunda 8 deployment with internal Keycloak enabled. See [Set up the Helm chart with the internal Keycloak instance](/self-managed/deployment/helm/configure/authentication-and-authorization/internal-keycloak.md). +- Access to your external IdP's configuration (client credentials, endpoints, etc.) + +## Configure the external identity provider + +Complete the following steps to integrate your external IdP: + +1. [Add your external IdP to Keycloak](#add-your-external-idp-to-keycloak) +1. [Configure identity provider mappers](#configure-identity-provider-mappers) +1. [Configure Orchestration Cluster Identity](#configure-orchestration-cluster-identity) +1. [Configure Management Identity access](#configure-management-identity-access-optional) (optional) + +### Add your external IdP to Keycloak + +Configure Keycloak to use your external identity provider by following the [Configure an external IdP using Keycloak](/self-managed/components/management-identity/configuration/configure-external-identity-provider.md) guide. + +### Configure identity provider mappers + +After adding the identity provider, configure mappers to import user attributes and assign users to a group for authorization. + +:::tip +For details on Keycloak identity provider mappers, see the [Keycloak documentation on identity broker mappers](https://www.keycloak.org/docs/latest/server_admin/index.html#_mappers). +::: + +#### Create attribute mappers + +In Keycloak Admin Console, navigate to **Identity Providers** → select your IdP → **Mappers** tab. + +Create attribute mappers to import user profile information: + +| Name | Mapper Type | Claim | User Attribute | +| ----------- | ------------------ | ------------- | -------------- | +| `email` | Attribute Importer | `email` | `email` | +| `firstName` | Attribute Importer | `given_name` | `firstName` | +| `lastName` | Attribute Importer | `family_name` | `lastName` | + +#### Create username mapper + +Create a username mapper: + +- **Mapper Type**: Username Template Importer +- **Template**: `${CLAIM.preferred_username}` + +#### Create group for external IdP users + +Navigate to **Groups** → **Create group** and create a group: + +- **Name**: `external-idp-users` + +#### Assign users to the group + +Create a mapper to assign federated users to this group: + +- **Name**: `assign-external-idp-group` +- **Mapper Type**: Hardcoded Group +- **Group**: `external-idp-users` + +### Configure Orchestration Cluster Identity + +External IdP users can now authenticate, but require authorization to access Camunda components. + +Log in to **Orchestration Cluster Identity** as an administrator. + +#### Create a mapping rule + +Create a mapping rule to identify external IdP users: + +1. Navigate to **Mapping Rules** → **Create a mapping rule**. +1. Configure the mapping rule: + - **Mapping Rule ID**: `external-idp-users-rule` + - **Mapping Rule name**: `External IdP Users` + - **Claim name**: `groups` + - **Claim value**: `external-idp-users` + +#### Grant component access + +Grant access to Orchestration Cluster components: + +1. Navigate to **Authorizations** → select **Component** → **Create authorization**. +1. Configure the authorization: + - **Owner type**: `Mapping rule` + - **Owner ID**: `external-idp-users-rule` + - **Resource ID**: `*` + - **Permissions**: `ACCESS` + +#### Grant additional permissions (optional) + +Grant additional permissions as needed. For example, to allow users to view processes and complete tasks: + +| Resource Type | Resource ID | Permissions | +| ------------------ | ----------- | -------------------------------------------------------------------- | +| Process Definition | `*` | `READ_PROCESS_DEFINITION`, `READ_PROCESS_INSTANCE`, `READ_USER_TASK` | +| Process Definition | `*` | `UPDATE_USER_TASK` | + +:::info +For more details on authorizations, see [Orchestration Cluster authorization](/components/concepts/access-control/authorizations.md). +::: + +### Configure Management Identity access (optional) + +For access to Console, Web Modeler, and Optimize, external IdP users need the corresponding realm roles assigned in Keycloak. The recommended approach is to assign users to groups that have these roles. + +#### Verify or create groups + +1. In Keycloak Admin Console, navigate to **Groups**. +1. Verify that groups exist for each component (e.g., `Console`, `Optimize`, `Web Modeler`). If not, create them. + +#### Assign roles to groups + +Ensure each group has the corresponding realm role assigned: + +1. Select the group → **Role Mappings** tab. +1. Click **Assign role** and add the role with the same name (e.g., `Console`). + +#### Create group mappers + +Create mappers to assign federated users to these groups: + +1. Navigate to **Identity Providers** → select your IdP → **Mappers** tab. +1. Click **Add mapper** for each component: + +| Mapper Name | Mapper Type | Group | +| ------------------------- | --------------- | ------------- | +| `assign-console-group` | Hardcoded Group | `Console` | +| `assign-optimize-group` | Hardcoded Group | `Optimize` | +| `assign-webmodeler-group` | Hardcoded Group | `Web Modeler` | + +:::tip +You can also assign roles directly to users in Keycloak, or use [mapping rules in Management Identity](/self-managed/components/management-identity/mapping-rules.md) to map token claims to roles. +::: + +## Understanding the two identity systems + +Camunda 8.8 uses two separate identity systems: + +| System | Components | Configuration Method | +| ------------------------------ | ------------------------------------ | -------------------------------- | +| Orchestration Cluster Identity | Operate, Tasklist, Identity UI, APIs | Mapping rules and authorizations | +| Management Identity | Console, Web Modeler, Optimize | Keycloak groups and roles | + +Orchestration Cluster Identity does not automatically recognize Keycloak groups. You must create mapping rules that match JWT claims and then assign authorizations to those mapping rules. + +## Next steps + +- To learn more about mapping rules, see [Mapping rules](/components/concepts/access-control/mapping-rules.md). +- To configure additional authorizations, see [Orchestration Cluster authorization](/components/concepts/access-control/authorizations.md). +- To use an external IdP without the internal Keycloak, see [Set up the Helm chart with an external OIDC provider](/self-managed/deployment/helm/configure/authentication-and-authorization/external-oidc-provider.md). diff --git a/versioned_docs/version-8.8/self-managed/deployment/helm/configure/authentication-and-authorization/index.md b/versioned_docs/version-8.8/self-managed/deployment/helm/configure/authentication-and-authorization/index.md index df16c5ce037..6801f983730 100644 --- a/versioned_docs/version-8.8/self-managed/deployment/helm/configure/authentication-and-authorization/index.md +++ b/versioned_docs/version-8.8/self-managed/deployment/helm/configure/authentication-and-authorization/index.md @@ -12,11 +12,12 @@ By default, Camunda uses basic authentication with predefined demo users. Altern ### Authentication options -| Method | Description | Recommended for | -| ----------------------------------------------------- | --------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------- | -| [Basic authentication](./basic-authentication.md) | Default authentication with preconfigured demo users. No external identity provider (IdP) required. | Local development and testing, as well as smaller scale production setups | -| [Internal Keycloak](./internal-keycloak.md) | Deploys a Keycloak pod with the Helm release, preconfigured by Management Identity. | Small teams or self-contained environments | -| [External OIDC provider](./external-oidc-provider.md) | Integrates Camunda with external IdPs such as Microsoft Entra ID or Okta via OpenID Connect. | Existing enterprise identity infrastructure | +| Method | Description | Recommended for | +| ----------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------- | +| [Basic authentication](./basic-authentication.md) | Default authentication with preconfigured demo users. No external identity provider (IdP) required. | Local development and testing, as well as smaller scale production setups | +| [Internal Keycloak](./internal-keycloak.md) | Deploys a Keycloak pod with the Helm release, preconfigured by Management Identity. | Small teams or self-contained environments | +| [External IdP via Internal Keycloak](./external-idp-via-internal-keycloak.md) | Uses internal Keycloak as identity broker, delegating to external IdPs like SAML, LDAP, or AD. | Organizations with existing identity infrastructure wanting Keycloak benefits | +| [External OIDC provider](./external-oidc-provider.md) | Integrates Camunda with external IdPs such as Microsoft Entra ID or Okta via OpenID Connect. | Existing enterprise identity infrastructure | ### Limitations of OIDC setups @@ -27,6 +28,7 @@ front channel single sign out is not supported. This means that when a user logs - [Basic authentication guide](./basic-authentication.md) - [Internal Keycloak guide](./internal-keycloak.md) +- [External IdP via Internal Keycloak guide](./external-idp-via-internal-keycloak.md) - [External Keycloak guide](./external-keycloak.md) - [Microsoft Entra guide](./microsoft-entra.md) - [Generic OIDC provider](./generic-oidc-provider.md) diff --git a/versioned_docs/version-8.8/self-managed/deployment/helm/configure/authentication-and-authorization/react-components/_card-data.js b/versioned_docs/version-8.8/self-managed/deployment/helm/configure/authentication-and-authorization/react-components/_card-data.js index eac1aa9c339..fdfbfe99306 100644 --- a/versioned_docs/version-8.8/self-managed/deployment/helm/configure/authentication-and-authorization/react-components/_card-data.js +++ b/versioned_docs/version-8.8/self-managed/deployment/helm/configure/authentication-and-authorization/react-components/_card-data.js @@ -7,6 +7,13 @@ import IconGear from "../../../../../../components/assets/icon-orchcluster.png"; // Backup and Restore overview cards data export const overviewCards = [ + { + link: "../external-idp-via-internal-keycloak", + title: "External IdP via Internal Keycloak", + image: IconGear, + description: + "Use internal Keycloak as identity broker, delegating authentication to external IdPs like SAML, LDAP, or Active Directory.", + }, { link: "../external-keycloak", title: "External Keycloak", diff --git a/versioned_sidebars/version-8.8-sidebars.json b/versioned_sidebars/version-8.8-sidebars.json index dcdb1d70d67..bffa50a6428 100644 --- a/versioned_sidebars/version-8.8-sidebars.json +++ b/versioned_sidebars/version-8.8-sidebars.json @@ -2925,6 +2925,7 @@ "id": "self-managed/deployment/helm/configure/authentication-and-authorization/external-oidc-provider" }, "items": [ + "self-managed/deployment/helm/configure/authentication-and-authorization/external-idp-via-internal-keycloak", "self-managed/deployment/helm/configure/authentication-and-authorization/external-keycloak", "self-managed/deployment/helm/configure/authentication-and-authorization/microsoft-entra", "self-managed/deployment/helm/configure/authentication-and-authorization/generic-oidc-provider", From 288fabc4a28e8bad684d3eb0bb505e86703db3b8 Mon Sep 17 00:00:00 2001 From: Balazs Kenez <96087935+bkenez@users.noreply.github.com> Date: Mon, 1 Dec 2025 13:36:57 +0100 Subject: [PATCH 03/11] fix(8.8, 8.9): improve style consistency in external IdP via internal Keycloak guide --- .../external-idp-via-internal-keycloak.md | 23 +++++++++---------- .../external-idp-via-internal-keycloak.md | 23 +++++++++---------- 2 files changed, 22 insertions(+), 24 deletions(-) diff --git a/docs/self-managed/deployment/helm/configure/authentication-and-authorization/external-idp-via-internal-keycloak.md b/docs/self-managed/deployment/helm/configure/authentication-and-authorization/external-idp-via-internal-keycloak.md index 8c71aeba30c..1e9ce866f1b 100644 --- a/docs/self-managed/deployment/helm/configure/authentication-and-authorization/external-idp-via-internal-keycloak.md +++ b/docs/self-managed/deployment/helm/configure/authentication-and-authorization/external-idp-via-internal-keycloak.md @@ -41,7 +41,7 @@ For details on Keycloak identity provider mappers, see the [Keycloak documentati #### Create attribute mappers -In Keycloak Admin Console, navigate to **Identity Providers** → select your IdP → **Mappers** tab. +In Keycloak Admin Console, navigate to **Identity Providers** > select your IdP > **Mappers** tab. Create attribute mappers to import user profile information: @@ -60,7 +60,7 @@ Create a username mapper: #### Create group for external IdP users -Navigate to **Groups** → **Create group** and create a group: +Navigate to **Groups** > **Create group** and create a group: - **Name**: `external-idp-users` @@ -82,7 +82,7 @@ Log in to **Orchestration Cluster Identity** as an administrator. Create a mapping rule to identify external IdP users: -1. Navigate to **Mapping Rules** → **Create a mapping rule**. +1. Navigate to **Mapping Rules** > **Create a mapping rule**. 1. Configure the mapping rule: - **Mapping Rule ID**: `external-idp-users-rule` - **Mapping Rule name**: `External IdP Users` @@ -93,7 +93,7 @@ Create a mapping rule to identify external IdP users: Grant access to Orchestration Cluster components: -1. Navigate to **Authorizations** → select **Component** → **Create authorization**. +1. Navigate to **Authorizations** > select **Component** > **Create authorization**. 1. Configure the authorization: - **Owner type**: `Mapping rule` - **Owner ID**: `external-idp-users-rule` @@ -113,7 +113,7 @@ Grant additional permissions as needed. For example, to allow users to view proc For more details on authorizations, see [Orchestration Cluster authorization](/components/concepts/access-control/authorizations.md). ::: -### Configure Management Identity access (optional) +### Configure Management Identity access (Optional) For access to Console, Web Modeler, and Optimize, external IdP users need the corresponding realm roles assigned in Keycloak. The recommended approach is to assign users to groups that have these roles. @@ -126,14 +126,14 @@ For access to Console, Web Modeler, and Optimize, external IdP users need the co Ensure each group has the corresponding realm role assigned: -1. Select the group → **Role Mappings** tab. +1. Select the group > **Role Mappings** tab. 1. Click **Assign role** and add the role with the same name (e.g., `Console`). #### Create group mappers Create mappers to assign federated users to these groups: -1. Navigate to **Identity Providers** → select your IdP → **Mappers** tab. +1. Navigate to **Identity Providers** > select your IdP > **Mappers** tab. 1. Click **Add mapper** for each component: | Mapper Name | Mapper Type | Group | @@ -148,14 +148,13 @@ You can also assign roles directly to users in Keycloak, or use [mapping rules i ## Understanding the two identity systems -Camunda 8.8 uses two separate identity systems: +Camunda 8.8 uses two separate identity systems: Orchestration Cluster Identity and Management Identity. Each system manages access to different components and uses different configuration methods. -| System | Components | Configuration Method | -| ------------------------------ | ------------------------------------ | -------------------------------- | -| Orchestration Cluster Identity | Operate, Tasklist, Identity UI, APIs | Mapping rules and authorizations | -| Management Identity | Console, Web Modeler, Optimize | Keycloak groups and roles | +For a detailed explanation of the differences between these identity systems, see [Identity types in Camunda 8](/components/concepts/access-control/access-control-overview.md#identity-types-in-camunda-8). +:::note Orchestration Cluster Identity does not automatically recognize Keycloak groups. You must create mapping rules that match JWT claims and then assign authorizations to those mapping rules. +::: ## Next steps diff --git a/versioned_docs/version-8.8/self-managed/deployment/helm/configure/authentication-and-authorization/external-idp-via-internal-keycloak.md b/versioned_docs/version-8.8/self-managed/deployment/helm/configure/authentication-and-authorization/external-idp-via-internal-keycloak.md index 8c71aeba30c..1e9ce866f1b 100644 --- a/versioned_docs/version-8.8/self-managed/deployment/helm/configure/authentication-and-authorization/external-idp-via-internal-keycloak.md +++ b/versioned_docs/version-8.8/self-managed/deployment/helm/configure/authentication-and-authorization/external-idp-via-internal-keycloak.md @@ -41,7 +41,7 @@ For details on Keycloak identity provider mappers, see the [Keycloak documentati #### Create attribute mappers -In Keycloak Admin Console, navigate to **Identity Providers** → select your IdP → **Mappers** tab. +In Keycloak Admin Console, navigate to **Identity Providers** > select your IdP > **Mappers** tab. Create attribute mappers to import user profile information: @@ -60,7 +60,7 @@ Create a username mapper: #### Create group for external IdP users -Navigate to **Groups** → **Create group** and create a group: +Navigate to **Groups** > **Create group** and create a group: - **Name**: `external-idp-users` @@ -82,7 +82,7 @@ Log in to **Orchestration Cluster Identity** as an administrator. Create a mapping rule to identify external IdP users: -1. Navigate to **Mapping Rules** → **Create a mapping rule**. +1. Navigate to **Mapping Rules** > **Create a mapping rule**. 1. Configure the mapping rule: - **Mapping Rule ID**: `external-idp-users-rule` - **Mapping Rule name**: `External IdP Users` @@ -93,7 +93,7 @@ Create a mapping rule to identify external IdP users: Grant access to Orchestration Cluster components: -1. Navigate to **Authorizations** → select **Component** → **Create authorization**. +1. Navigate to **Authorizations** > select **Component** > **Create authorization**. 1. Configure the authorization: - **Owner type**: `Mapping rule` - **Owner ID**: `external-idp-users-rule` @@ -113,7 +113,7 @@ Grant additional permissions as needed. For example, to allow users to view proc For more details on authorizations, see [Orchestration Cluster authorization](/components/concepts/access-control/authorizations.md). ::: -### Configure Management Identity access (optional) +### Configure Management Identity access (Optional) For access to Console, Web Modeler, and Optimize, external IdP users need the corresponding realm roles assigned in Keycloak. The recommended approach is to assign users to groups that have these roles. @@ -126,14 +126,14 @@ For access to Console, Web Modeler, and Optimize, external IdP users need the co Ensure each group has the corresponding realm role assigned: -1. Select the group → **Role Mappings** tab. +1. Select the group > **Role Mappings** tab. 1. Click **Assign role** and add the role with the same name (e.g., `Console`). #### Create group mappers Create mappers to assign federated users to these groups: -1. Navigate to **Identity Providers** → select your IdP → **Mappers** tab. +1. Navigate to **Identity Providers** > select your IdP > **Mappers** tab. 1. Click **Add mapper** for each component: | Mapper Name | Mapper Type | Group | @@ -148,14 +148,13 @@ You can also assign roles directly to users in Keycloak, or use [mapping rules i ## Understanding the two identity systems -Camunda 8.8 uses two separate identity systems: +Camunda 8.8 uses two separate identity systems: Orchestration Cluster Identity and Management Identity. Each system manages access to different components and uses different configuration methods. -| System | Components | Configuration Method | -| ------------------------------ | ------------------------------------ | -------------------------------- | -| Orchestration Cluster Identity | Operate, Tasklist, Identity UI, APIs | Mapping rules and authorizations | -| Management Identity | Console, Web Modeler, Optimize | Keycloak groups and roles | +For a detailed explanation of the differences between these identity systems, see [Identity types in Camunda 8](/components/concepts/access-control/access-control-overview.md#identity-types-in-camunda-8). +:::note Orchestration Cluster Identity does not automatically recognize Keycloak groups. You must create mapping rules that match JWT claims and then assign authorizations to those mapping rules. +::: ## Next steps From 6ec590eb05a539e8e740ced4db451b3d8eb4b622 Mon Sep 17 00:00:00 2001 From: Balazs Kenez <96087935+bkenez@users.noreply.github.com> Date: Fri, 5 Dec 2025 15:37:20 +0100 Subject: [PATCH 04/11] docs: move external IdP via internal Keycloak guide to end of section --- sidebars.js | 2 +- versioned_sidebars/version-8.8-sidebars.json | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/sidebars.js b/sidebars.js index 7f0530174cb..3eaefc407be 100644 --- a/sidebars.js +++ b/sidebars.js @@ -1489,10 +1489,10 @@ module.exports = { id: "self-managed/deployment/helm/configure/authentication-and-authorization/external-oidc-provider", }, items: [ - "self-managed/deployment/helm/configure/authentication-and-authorization/external-idp-via-internal-keycloak", "self-managed/deployment/helm/configure/authentication-and-authorization/external-keycloak", "self-managed/deployment/helm/configure/authentication-and-authorization/microsoft-entra", "self-managed/deployment/helm/configure/authentication-and-authorization/generic-oidc-provider", + "self-managed/deployment/helm/configure/authentication-and-authorization/external-idp-via-internal-keycloak", "self-managed/deployment/helm/configure/authentication-and-authorization/troubleshooting-oidc", ], }, diff --git a/versioned_sidebars/version-8.8-sidebars.json b/versioned_sidebars/version-8.8-sidebars.json index bffa50a6428..9419187f89d 100644 --- a/versioned_sidebars/version-8.8-sidebars.json +++ b/versioned_sidebars/version-8.8-sidebars.json @@ -2925,10 +2925,10 @@ "id": "self-managed/deployment/helm/configure/authentication-and-authorization/external-oidc-provider" }, "items": [ - "self-managed/deployment/helm/configure/authentication-and-authorization/external-idp-via-internal-keycloak", "self-managed/deployment/helm/configure/authentication-and-authorization/external-keycloak", "self-managed/deployment/helm/configure/authentication-and-authorization/microsoft-entra", "self-managed/deployment/helm/configure/authentication-and-authorization/generic-oidc-provider", + "self-managed/deployment/helm/configure/authentication-and-authorization/external-idp-via-internal-keycloak", "self-managed/deployment/helm/configure/authentication-and-authorization/troubleshooting-oidc" ] } From d23401b4a629874c92bf25673bdb159c175c0c92 Mon Sep 17 00:00:00 2001 From: Balazs Kenez <96087935+bkenez@users.noreply.github.com> Date: Fri, 5 Dec 2025 15:40:35 +0100 Subject: [PATCH 05/11] docs: specify Camunda realm for identity provider mappers --- .../external-idp-via-internal-keycloak.md | 2 +- .../external-idp-via-internal-keycloak.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/self-managed/deployment/helm/configure/authentication-and-authorization/external-idp-via-internal-keycloak.md b/docs/self-managed/deployment/helm/configure/authentication-and-authorization/external-idp-via-internal-keycloak.md index 1e9ce866f1b..2aa38633069 100644 --- a/docs/self-managed/deployment/helm/configure/authentication-and-authorization/external-idp-via-internal-keycloak.md +++ b/docs/self-managed/deployment/helm/configure/authentication-and-authorization/external-idp-via-internal-keycloak.md @@ -33,7 +33,7 @@ Configure Keycloak to use your external identity provider by following the [Conf ### Configure identity provider mappers -After adding the identity provider, configure mappers to import user attributes and assign users to a group for authorization. +After adding the identity provider, configure mappers in the **Camunda realm** (default: `camunda-platform`) to import user attributes and assign users to a group for authorization. :::tip For details on Keycloak identity provider mappers, see the [Keycloak documentation on identity broker mappers](https://www.keycloak.org/docs/latest/server_admin/index.html#_mappers). diff --git a/versioned_docs/version-8.8/self-managed/deployment/helm/configure/authentication-and-authorization/external-idp-via-internal-keycloak.md b/versioned_docs/version-8.8/self-managed/deployment/helm/configure/authentication-and-authorization/external-idp-via-internal-keycloak.md index 1e9ce866f1b..2aa38633069 100644 --- a/versioned_docs/version-8.8/self-managed/deployment/helm/configure/authentication-and-authorization/external-idp-via-internal-keycloak.md +++ b/versioned_docs/version-8.8/self-managed/deployment/helm/configure/authentication-and-authorization/external-idp-via-internal-keycloak.md @@ -33,7 +33,7 @@ Configure Keycloak to use your external identity provider by following the [Conf ### Configure identity provider mappers -After adding the identity provider, configure mappers to import user attributes and assign users to a group for authorization. +After adding the identity provider, configure mappers in the **Camunda realm** (default: `camunda-platform`) to import user attributes and assign users to a group for authorization. :::tip For details on Keycloak identity provider mappers, see the [Keycloak documentation on identity broker mappers](https://www.keycloak.org/docs/latest/server_admin/index.html#_mappers). From a47075388ef40c23b7a89a6d1b4dac2fe44d9ddc Mon Sep 17 00:00:00 2001 From: Balazs Kenez <96087935+bkenez@users.noreply.github.com> Date: Fri, 5 Dec 2025 15:44:36 +0100 Subject: [PATCH 06/11] docs: add name field to username mapper --- .../external-idp-via-internal-keycloak.md | 1 + .../external-idp-via-internal-keycloak.md | 1 + 2 files changed, 2 insertions(+) diff --git a/docs/self-managed/deployment/helm/configure/authentication-and-authorization/external-idp-via-internal-keycloak.md b/docs/self-managed/deployment/helm/configure/authentication-and-authorization/external-idp-via-internal-keycloak.md index 2aa38633069..abe609f2bd4 100644 --- a/docs/self-managed/deployment/helm/configure/authentication-and-authorization/external-idp-via-internal-keycloak.md +++ b/docs/self-managed/deployment/helm/configure/authentication-and-authorization/external-idp-via-internal-keycloak.md @@ -55,6 +55,7 @@ Create attribute mappers to import user profile information: Create a username mapper: +- **Name**: `username` - **Mapper Type**: Username Template Importer - **Template**: `${CLAIM.preferred_username}` diff --git a/versioned_docs/version-8.8/self-managed/deployment/helm/configure/authentication-and-authorization/external-idp-via-internal-keycloak.md b/versioned_docs/version-8.8/self-managed/deployment/helm/configure/authentication-and-authorization/external-idp-via-internal-keycloak.md index 2aa38633069..abe609f2bd4 100644 --- a/versioned_docs/version-8.8/self-managed/deployment/helm/configure/authentication-and-authorization/external-idp-via-internal-keycloak.md +++ b/versioned_docs/version-8.8/self-managed/deployment/helm/configure/authentication-and-authorization/external-idp-via-internal-keycloak.md @@ -55,6 +55,7 @@ Create attribute mappers to import user profile information: Create a username mapper: +- **Name**: `username` - **Mapper Type**: Username Template Importer - **Template**: `${CLAIM.preferred_username}` From afe6bf5189aa1ace16670dbd33c99b454a29c808 Mon Sep 17 00:00:00 2001 From: Balazs Kenez <96087935+bkenez@users.noreply.github.com> Date: Fri, 5 Dec 2025 15:46:36 +0100 Subject: [PATCH 07/11] docs: add explanations for identity provider mappers --- .../external-idp-via-internal-keycloak.md | 6 ++++++ .../external-idp-via-internal-keycloak.md | 6 ++++++ 2 files changed, 12 insertions(+) diff --git a/docs/self-managed/deployment/helm/configure/authentication-and-authorization/external-idp-via-internal-keycloak.md b/docs/self-managed/deployment/helm/configure/authentication-and-authorization/external-idp-via-internal-keycloak.md index abe609f2bd4..7a64ecf58e1 100644 --- a/docs/self-managed/deployment/helm/configure/authentication-and-authorization/external-idp-via-internal-keycloak.md +++ b/docs/self-managed/deployment/helm/configure/authentication-and-authorization/external-idp-via-internal-keycloak.md @@ -41,6 +41,8 @@ For details on Keycloak identity provider mappers, see the [Keycloak documentati #### Create attribute mappers +Attribute mappers import user profile information from the external IdP into Keycloak user accounts. + In Keycloak Admin Console, navigate to **Identity Providers** > select your IdP > **Mappers** tab. Create attribute mappers to import user profile information: @@ -53,6 +55,8 @@ Create attribute mappers to import user profile information: #### Create username mapper +The username mapper determines how Keycloak assigns usernames to federated users based on claims from the external IdP. + Create a username mapper: - **Name**: `username` @@ -67,6 +71,8 @@ Navigate to **Groups** > **Create group** and create a group: #### Assign users to the group +The hardcoded group mapper automatically assigns all users authenticating through this IdP to a specified group. This group membership is then included in the user's access token. + Create a mapper to assign federated users to this group: - **Name**: `assign-external-idp-group` diff --git a/versioned_docs/version-8.8/self-managed/deployment/helm/configure/authentication-and-authorization/external-idp-via-internal-keycloak.md b/versioned_docs/version-8.8/self-managed/deployment/helm/configure/authentication-and-authorization/external-idp-via-internal-keycloak.md index abe609f2bd4..7a64ecf58e1 100644 --- a/versioned_docs/version-8.8/self-managed/deployment/helm/configure/authentication-and-authorization/external-idp-via-internal-keycloak.md +++ b/versioned_docs/version-8.8/self-managed/deployment/helm/configure/authentication-and-authorization/external-idp-via-internal-keycloak.md @@ -41,6 +41,8 @@ For details on Keycloak identity provider mappers, see the [Keycloak documentati #### Create attribute mappers +Attribute mappers import user profile information from the external IdP into Keycloak user accounts. + In Keycloak Admin Console, navigate to **Identity Providers** > select your IdP > **Mappers** tab. Create attribute mappers to import user profile information: @@ -53,6 +55,8 @@ Create attribute mappers to import user profile information: #### Create username mapper +The username mapper determines how Keycloak assigns usernames to federated users based on claims from the external IdP. + Create a username mapper: - **Name**: `username` @@ -67,6 +71,8 @@ Navigate to **Groups** > **Create group** and create a group: #### Assign users to the group +The hardcoded group mapper automatically assigns all users authenticating through this IdP to a specified group. This group membership is then included in the user's access token. + Create a mapper to assign federated users to this group: - **Name**: `assign-external-idp-group` From d369b2a9e7f072a36dcdaa0f50a9e1cf94f45b46 Mon Sep 17 00:00:00 2001 From: Balazs Kenez <96087935+bkenez@users.noreply.github.com> Date: Fri, 5 Dec 2025 15:51:18 +0100 Subject: [PATCH 08/11] docs: add tip about direct group authorization alternative --- .../external-idp-via-internal-keycloak.md | 4 ++++ .../external-idp-via-internal-keycloak.md | 4 ++++ 2 files changed, 8 insertions(+) diff --git a/docs/self-managed/deployment/helm/configure/authentication-and-authorization/external-idp-via-internal-keycloak.md b/docs/self-managed/deployment/helm/configure/authentication-and-authorization/external-idp-via-internal-keycloak.md index 7a64ecf58e1..8a87c3ccb3a 100644 --- a/docs/self-managed/deployment/helm/configure/authentication-and-authorization/external-idp-via-internal-keycloak.md +++ b/docs/self-managed/deployment/helm/configure/authentication-and-authorization/external-idp-via-internal-keycloak.md @@ -83,6 +83,10 @@ Create a mapper to assign federated users to this group: External IdP users can now authenticate, but require authorization to access Camunda components. +:::tip Alternative: Direct group authorization +If you have configured the groups claim feature (`orchestration.security.authentication.oidc.groups-claim`), you can create authorizations directly for the `external-idp-users` group without creating mapping rules. This is enabled by default when using the internal Keycloak with the Helm chart. Navigate to **Authorizations** > **Component** > **Create authorization**, select **Owner type**: `Group`, and **Owner ID**: `external-idp-users`. +::: + Log in to **Orchestration Cluster Identity** as an administrator. #### Create a mapping rule diff --git a/versioned_docs/version-8.8/self-managed/deployment/helm/configure/authentication-and-authorization/external-idp-via-internal-keycloak.md b/versioned_docs/version-8.8/self-managed/deployment/helm/configure/authentication-and-authorization/external-idp-via-internal-keycloak.md index 7a64ecf58e1..8a87c3ccb3a 100644 --- a/versioned_docs/version-8.8/self-managed/deployment/helm/configure/authentication-and-authorization/external-idp-via-internal-keycloak.md +++ b/versioned_docs/version-8.8/self-managed/deployment/helm/configure/authentication-and-authorization/external-idp-via-internal-keycloak.md @@ -83,6 +83,10 @@ Create a mapper to assign federated users to this group: External IdP users can now authenticate, but require authorization to access Camunda components. +:::tip Alternative: Direct group authorization +If you have configured the groups claim feature (`orchestration.security.authentication.oidc.groups-claim`), you can create authorizations directly for the `external-idp-users` group without creating mapping rules. This is enabled by default when using the internal Keycloak with the Helm chart. Navigate to **Authorizations** > **Component** > **Create authorization**, select **Owner type**: `Group`, and **Owner ID**: `external-idp-users`. +::: + Log in to **Orchestration Cluster Identity** as an administrator. #### Create a mapping rule From bfb9b9817519b8d7c46a12d92c655887fc8e2c22 Mon Sep 17 00:00:00 2001 From: Balazs Kenez <96087935+bkenez@users.noreply.github.com> Date: Fri, 5 Dec 2025 15:53:11 +0100 Subject: [PATCH 09/11] docs: clarify hardcoded group mappers grant access to all external IdP users --- .../external-idp-via-internal-keycloak.md | 4 ++++ .../external-idp-via-internal-keycloak.md | 4 ++++ 2 files changed, 8 insertions(+) diff --git a/docs/self-managed/deployment/helm/configure/authentication-and-authorization/external-idp-via-internal-keycloak.md b/docs/self-managed/deployment/helm/configure/authentication-and-authorization/external-idp-via-internal-keycloak.md index 8a87c3ccb3a..c81e4eb8466 100644 --- a/docs/self-managed/deployment/helm/configure/authentication-and-authorization/external-idp-via-internal-keycloak.md +++ b/docs/self-managed/deployment/helm/configure/authentication-and-authorization/external-idp-via-internal-keycloak.md @@ -128,6 +128,10 @@ For more details on authorizations, see [Orchestration Cluster authorization](/c For access to Console, Web Modeler, and Optimize, external IdP users need the corresponding realm roles assigned in Keycloak. The recommended approach is to assign users to groups that have these roles. +:::note +The hardcoded group mappers in this section grant access to **all users** authenticating through the external IdP. For more granular access control based on groups or attributes from your external IdP, see the [Keycloak documentation on identity provider mappers](https://www.keycloak.org/docs/latest/server_admin/index.html#_mappers). +::: + #### Verify or create groups 1. In Keycloak Admin Console, navigate to **Groups**. diff --git a/versioned_docs/version-8.8/self-managed/deployment/helm/configure/authentication-and-authorization/external-idp-via-internal-keycloak.md b/versioned_docs/version-8.8/self-managed/deployment/helm/configure/authentication-and-authorization/external-idp-via-internal-keycloak.md index 8a87c3ccb3a..c81e4eb8466 100644 --- a/versioned_docs/version-8.8/self-managed/deployment/helm/configure/authentication-and-authorization/external-idp-via-internal-keycloak.md +++ b/versioned_docs/version-8.8/self-managed/deployment/helm/configure/authentication-and-authorization/external-idp-via-internal-keycloak.md @@ -128,6 +128,10 @@ For more details on authorizations, see [Orchestration Cluster authorization](/c For access to Console, Web Modeler, and Optimize, external IdP users need the corresponding realm roles assigned in Keycloak. The recommended approach is to assign users to groups that have these roles. +:::note +The hardcoded group mappers in this section grant access to **all users** authenticating through the external IdP. For more granular access control based on groups or attributes from your external IdP, see the [Keycloak documentation on identity provider mappers](https://www.keycloak.org/docs/latest/server_admin/index.html#_mappers). +::: + #### Verify or create groups 1. In Keycloak Admin Console, navigate to **Groups**. From 799f7eebfb07bd022a619f7d0f95c3d6a3a9734a Mon Sep 17 00:00:00 2001 From: Balazs Kenez <96087935+bkenez@users.noreply.github.com> Date: Fri, 5 Dec 2025 15:58:40 +0100 Subject: [PATCH 10/11] docs: remove generic identity systems section, add link to Next steps --- .../external-idp-via-internal-keycloak.md | 11 +---------- .../external-idp-via-internal-keycloak.md | 11 +---------- 2 files changed, 2 insertions(+), 20 deletions(-) diff --git a/docs/self-managed/deployment/helm/configure/authentication-and-authorization/external-idp-via-internal-keycloak.md b/docs/self-managed/deployment/helm/configure/authentication-and-authorization/external-idp-via-internal-keycloak.md index c81e4eb8466..c8a68af966d 100644 --- a/docs/self-managed/deployment/helm/configure/authentication-and-authorization/external-idp-via-internal-keycloak.md +++ b/docs/self-managed/deployment/helm/configure/authentication-and-authorization/external-idp-via-internal-keycloak.md @@ -161,18 +161,9 @@ Create mappers to assign federated users to these groups: You can also assign roles directly to users in Keycloak, or use [mapping rules in Management Identity](/self-managed/components/management-identity/mapping-rules.md) to map token claims to roles. ::: -## Understanding the two identity systems - -Camunda 8.8 uses two separate identity systems: Orchestration Cluster Identity and Management Identity. Each system manages access to different components and uses different configuration methods. - -For a detailed explanation of the differences between these identity systems, see [Identity types in Camunda 8](/components/concepts/access-control/access-control-overview.md#identity-types-in-camunda-8). - -:::note -Orchestration Cluster Identity does not automatically recognize Keycloak groups. You must create mapping rules that match JWT claims and then assign authorizations to those mapping rules. -::: - ## Next steps +- To understand the differences between Orchestration Cluster Identity and Management Identity, see [Identity types in Camunda 8](/components/concepts/access-control/access-control-overview.md#identity-types-in-camunda-8). - To learn more about mapping rules, see [Mapping rules](/components/concepts/access-control/mapping-rules.md). - To configure additional authorizations, see [Orchestration Cluster authorization](/components/concepts/access-control/authorizations.md). - To use an external IdP without the internal Keycloak, see [Set up the Helm chart with an external OIDC provider](/self-managed/deployment/helm/configure/authentication-and-authorization/external-oidc-provider.md). diff --git a/versioned_docs/version-8.8/self-managed/deployment/helm/configure/authentication-and-authorization/external-idp-via-internal-keycloak.md b/versioned_docs/version-8.8/self-managed/deployment/helm/configure/authentication-and-authorization/external-idp-via-internal-keycloak.md index c81e4eb8466..c8a68af966d 100644 --- a/versioned_docs/version-8.8/self-managed/deployment/helm/configure/authentication-and-authorization/external-idp-via-internal-keycloak.md +++ b/versioned_docs/version-8.8/self-managed/deployment/helm/configure/authentication-and-authorization/external-idp-via-internal-keycloak.md @@ -161,18 +161,9 @@ Create mappers to assign federated users to these groups: You can also assign roles directly to users in Keycloak, or use [mapping rules in Management Identity](/self-managed/components/management-identity/mapping-rules.md) to map token claims to roles. ::: -## Understanding the two identity systems - -Camunda 8.8 uses two separate identity systems: Orchestration Cluster Identity and Management Identity. Each system manages access to different components and uses different configuration methods. - -For a detailed explanation of the differences between these identity systems, see [Identity types in Camunda 8](/components/concepts/access-control/access-control-overview.md#identity-types-in-camunda-8). - -:::note -Orchestration Cluster Identity does not automatically recognize Keycloak groups. You must create mapping rules that match JWT claims and then assign authorizations to those mapping rules. -::: - ## Next steps +- To understand the differences between Orchestration Cluster Identity and Management Identity, see [Identity types in Camunda 8](/components/concepts/access-control/access-control-overview.md#identity-types-in-camunda-8). - To learn more about mapping rules, see [Mapping rules](/components/concepts/access-control/mapping-rules.md). - To configure additional authorizations, see [Orchestration Cluster authorization](/components/concepts/access-control/authorizations.md). - To use an external IdP without the internal Keycloak, see [Set up the Helm chart with an external OIDC provider](/self-managed/deployment/helm/configure/authentication-and-authorization/external-oidc-provider.md). From 01616bdd42d2b5bb69a2a8460493885297765e0a Mon Sep 17 00:00:00 2001 From: Balazs Kenez <96087935+bkenez@users.noreply.github.com> Date: Mon, 8 Dec 2025 08:54:23 +0100 Subject: [PATCH 11/11] docs: simplify OC Identity config to use direct group authorization --- .../external-idp-via-internal-keycloak.md | 21 +++---------------- .../external-idp-via-internal-keycloak.md | 21 +++---------------- 2 files changed, 6 insertions(+), 36 deletions(-) diff --git a/docs/self-managed/deployment/helm/configure/authentication-and-authorization/external-idp-via-internal-keycloak.md b/docs/self-managed/deployment/helm/configure/authentication-and-authorization/external-idp-via-internal-keycloak.md index c8a68af966d..c918d3df599 100644 --- a/docs/self-managed/deployment/helm/configure/authentication-and-authorization/external-idp-via-internal-keycloak.md +++ b/docs/self-managed/deployment/helm/configure/authentication-and-authorization/external-idp-via-internal-keycloak.md @@ -83,31 +83,16 @@ Create a mapper to assign federated users to this group: External IdP users can now authenticate, but require authorization to access Camunda components. -:::tip Alternative: Direct group authorization -If you have configured the groups claim feature (`orchestration.security.authentication.oidc.groups-claim`), you can create authorizations directly for the `external-idp-users` group without creating mapping rules. This is enabled by default when using the internal Keycloak with the Helm chart. Navigate to **Authorizations** > **Component** > **Create authorization**, select **Owner type**: `Group`, and **Owner ID**: `external-idp-users`. -::: - Log in to **Orchestration Cluster Identity** as an administrator. -#### Create a mapping rule - -Create a mapping rule to identify external IdP users: - -1. Navigate to **Mapping Rules** > **Create a mapping rule**. -1. Configure the mapping rule: - - **Mapping Rule ID**: `external-idp-users-rule` - - **Mapping Rule name**: `External IdP Users` - - **Claim name**: `groups` - - **Claim value**: `external-idp-users` - #### Grant component access -Grant access to Orchestration Cluster components: +Grant access to Orchestration Cluster components for the external IdP users group: 1. Navigate to **Authorizations** > select **Component** > **Create authorization**. 1. Configure the authorization: - - **Owner type**: `Mapping rule` - - **Owner ID**: `external-idp-users-rule` + - **Owner type**: `Group` + - **Owner ID**: `external-idp-users` - **Resource ID**: `*` - **Permissions**: `ACCESS` diff --git a/versioned_docs/version-8.8/self-managed/deployment/helm/configure/authentication-and-authorization/external-idp-via-internal-keycloak.md b/versioned_docs/version-8.8/self-managed/deployment/helm/configure/authentication-and-authorization/external-idp-via-internal-keycloak.md index c8a68af966d..c918d3df599 100644 --- a/versioned_docs/version-8.8/self-managed/deployment/helm/configure/authentication-and-authorization/external-idp-via-internal-keycloak.md +++ b/versioned_docs/version-8.8/self-managed/deployment/helm/configure/authentication-and-authorization/external-idp-via-internal-keycloak.md @@ -83,31 +83,16 @@ Create a mapper to assign federated users to this group: External IdP users can now authenticate, but require authorization to access Camunda components. -:::tip Alternative: Direct group authorization -If you have configured the groups claim feature (`orchestration.security.authentication.oidc.groups-claim`), you can create authorizations directly for the `external-idp-users` group without creating mapping rules. This is enabled by default when using the internal Keycloak with the Helm chart. Navigate to **Authorizations** > **Component** > **Create authorization**, select **Owner type**: `Group`, and **Owner ID**: `external-idp-users`. -::: - Log in to **Orchestration Cluster Identity** as an administrator. -#### Create a mapping rule - -Create a mapping rule to identify external IdP users: - -1. Navigate to **Mapping Rules** > **Create a mapping rule**. -1. Configure the mapping rule: - - **Mapping Rule ID**: `external-idp-users-rule` - - **Mapping Rule name**: `External IdP Users` - - **Claim name**: `groups` - - **Claim value**: `external-idp-users` - #### Grant component access -Grant access to Orchestration Cluster components: +Grant access to Orchestration Cluster components for the external IdP users group: 1. Navigate to **Authorizations** > select **Component** > **Create authorization**. 1. Configure the authorization: - - **Owner type**: `Mapping rule` - - **Owner ID**: `external-idp-users-rule` + - **Owner type**: `Group` + - **Owner ID**: `external-idp-users` - **Resource ID**: `*` - **Permissions**: `ACCESS`