Management Identity

The Management Identity component in Camunda 8 Self-Managed is used to manage authentication, access, and authorization for components outside the Orchestration Cluster (Console, Web Modeler, and Optimize).

note

Management Identity is separate from the Identity component within the Orchestration Cluster, which handles authentication for Zeebe, Operate, Tasklist, and Orchestration Cluster API.

Management Identity is included by default in the Docker Compose and Helm charts deployments of Camunda 8 Self-Managed, and is configured by default to use a packaged Keycloak instance as an identity provider (IdP).

• Administrators can use Management Identity to manage users, groups, roles, permissions, and applications within the Camunda 8 platform.
• Management Identity supports both users (interacting via Camunda web components) and applications (interacting via Camunda APIs, such as job workers) with secure authorization based on OAuth 2.0 standards.
• Users can log in to Camunda 8 web components via an IdP login page. Applications can authenticate via machine-to-machine (M2M) tokens.
• You can choose to integrate Management Identity with an external OIDC provider, connect to an existing Keycloak instance, or configure an external IdP using Keycloak.

Get started

If you're new to Management Identity, learn how to access and log in to Management Identity UI.

• Get started with Management Identity

Core concepts

Learn about the core concepts of Management Identity.

Authentication

Management Identity supports two types of authentication:

• Web login: Users access web applications through an IdP login page.
• Machine-to-machine (M2M): Applications authenticate using tokens for API access.

Both methods use the OAuth 2.0 protocol for secure authentication.

• Learn about authentication methods

User, group, role, and application management

Organize and control access using a role-based access control (RBAC) model.

• Manage users, groups, roles, and applications

Access management

Control who can access what by assigning permissions through roles.

• Manage access and permissions

Multi-tenancy

Isolate data and access in Optimize between different customers or business units by organizing resources into tenants. This is effective only if you have multi-tenancy checks enabled for your Orchestration Cluster.

• Manage tenants for Optimize

Mapping rules

Automatically assign roles and tenants to users based on information in their authentication tokens (JWT claims). This enables dynamic access control when integrating with external identity providers.

• Configure mapping rules

Reference

• Configure Management Identity
• Monitor Management Identity
• Configuration variables
• Configure logging
• Prepare Management Identity for production
• Keycloak resource management
• Starting configuration
• Troubleshoot Management Identity