Helm chart authentication and authorization configuration
Camunda 8 Self-Managed supports multiple authentication methods for securing access to components deployed with the Helm chart. This section provides an overview of available authentication options and links to configuration guides for each method.
Overview
By default, Camunda uses basic authentication with predefined demo users. Alternatively, you can configure OpenID Connect (OIDC) authentication, either through an internal Keycloak instance deployed with Camunda or an external OIDC provider.
Authentication options
| Method | Description | Recommended for |
|---|---|---|
| Basic authentication | Default authentication with preconfigured demo users. No external identity provider (IdP) required. | Local development and testing, as well as smaller scale production setups |
| Internal Keycloak | Deploys a Keycloak pod with the Helm release, preconfigured by Management Identity. | Small teams or self-contained environments |
| External OIDC provider | Integrates Camunda with external IdPs such as Microsoft Entra ID or Okta via OpenID Connect. | Existing enterprise identity infrastructure |
Limitations of OIDC setups
Due to technical limitations regarding third party content, front channel single sign out is not supported. This means that when a user logs out of one component, they will not be logged out of the OIDC provider or the other components.