Skip to main content
Version: 8.8 (unreleased)

Authentication to Orchestration Cluster on Self-Managed

Authentication to the Orchestration Cluster components and their resources is managed by Identity. It includes components like Zeebe, Operate, Tasklist, and Orchestration Cluster API.

Camunda 8's Orchestration Cluster supports two authentication methods:

Comparison of authentication methods

API accessWeb UI accessUser management
Basic authenticationUsername and passwordUsername and passwordVia Identity
OIDCOAuth 2.0 (via IdP)OIDC (via IdP)Via External Identity Provider

Additionally, an Unprotected API mode is available for development purposes, which can be applied to either method.

Basic authentication

With Basic Authentication, Orchestration Cluster components are protected with a username and password. User management is handled within the built-in Identity service.

This is the default authentication method for all installation options: Camunda 8 Run, Docker Compose, Helm charts and Manual installation.

Example configuration

CAMUNDA_SECURITY_AUTHENTICATION_METHOD=basic

Security considerations

While basic authentication provides a simple layer of protection suitable for development or testing environments, it has several security limitations:

  • No multi-factor authentication (MFA): Basic authentication does not support MFA, increasing the risk of unauthorized access through credential stuffing attacks, where attackers use stolen credentials from other services.
  • No account locking: The system does not lock accounts after multiple failed login attempts, leaving it vulnerable to brute-force attacks where an attacker can try to guess passwords repeatedly without being blocked.
  • Insecure password recovery: The password recovery process for administrators can be insecure and may require direct, risky manual intervention with the system.
  • No single sign-on (SSO): It leads to a higher likelihood of weak or reused passwords.

Mitigation and recommendations

For a secure, production-ready setup, we strongly recommend using OIDC. OIDC delegates authentication to a dedicated Identity Provider (IdP), allowing you to leverage advanced security features like MFA, SSO, and password policies.

OIDC

With OIDC, authentication is delegated to an external Identity Provider (IdP) using OpenID Connect (OIDC). This is the recommended method for production environments.

Using OIDC provides several security benefits:

  • Centralized user management: Manage all users and their access from a single, central IdP.
  • Single Sign-On (SSO): Provide a seamless login experience for your users across multiple applications.
  • Enhanced security: Enforce MFA, password rotation policies, and other advanced security measures offered by your IdP.
tip

For the details, see the guide how to connect Orchestration Cluster Identity to an external IdP.

Example configuration

CAMUNDA_SECURITY_AUTHENTICATION_METHOD=oidc

When the OIDC authentication method is enabled, additional configuration values must be set. See the supported OIDC configuration properties for the details.

Unprotected API mode

In this mode, API access is unprotected with no authentication required for APIs. This mode can be enabled with both Basic Authentication and OIDC.

By default, Camunda 8 Run and Docker Compose are configured in the unprotected API mode for a quick start with local development.

This mode should never be used in production environments.

note

If you need to use authorizations for access control, you must protect APIs by disabling the unprotected API mode. To learn more, see the documentation on Orchestration Cluster authorization.

Example configuration

CAMUNDA_SECURITY_AUTHENTICATION_UNPROTECTEDAPI=true