Dear All,
As the new version of Camunda (8.5) Azure Entra became supported OIDC Identity Provider. In case of usage this Entra Identity Provider, where the role/tenant mapping rules where will be stored? Neccessary to set up a dedicated database for it? If yes, how can be manageable as point of helm chart?
Thanks a lot.
Hi @tech_a - Identity manages the mapping rules and stores them in its database. Identity uses Postgres, as described here. The Helm charts already include a Postgres configuration for Identity by default (see here, and scroll up for information about connecting to an existing Postgres database).
Thanks your hint @nathan.loding. We used independent/sperated keycloak for Camunda (that keycloak of course use postgresql database), identity write to this keycloak but not use postgresql.
What about when we change for Azure Entra? Not neccessary to use postgresql just Azure Entra?
@tech_a - Identity uses Postgres, it’s a requirement whether you’re running Keycloak or not. I think the specific usage of the database may change depending on your OIDC provider, but it’s still required. However, if you’re just connecting Entra as a provider in Keycloak then you don’t need to do anything different with Identity.
@nathan.loding But for me as point of helm chart view both identityKeycloak and identityPostgresql does not enabled. Just identity.keycloak.url is filled (external keycloak) so there is no postgresql for identity directly.
Just for keycloak and webmodeler has postgresql.
But okey as of my understanding change from keycloak to Entra there is no additional tasks in database field.
@tech_a - I’m not sure what you’re asking. Regardless of your current setup, Identity requires a Postgres database if you’re going to switch from Keycloak to Entra. Or, you can keep your current set up and add Entra as a provider inside Keycloak.
@nathan.loding Oh maybe you are thingink about this part of the chart, what I did not used until now but should:
## External PostgreSQL configuration
## All of these values are only used when postgresql.enabled is set to false
## @param identity.externalDatabase.enabled
## @param identity.externalDatabase.host Database host
## @param identity.externalDatabase.port Database port number
## @param identity.externalDatabase.username Non-root username
## @param identity.externalDatabase.password Password for the non-root username
## @param identity.externalDatabase.database The database name
## @param identity.externalDatabase.existingSecret Name of an existing secret resource containing the database credentials
## @param identity.externalDatabase.existingSecretPasswordKey Name of an existing secret key containing the database credentials
##
externalDatabase:
enabled: false
host:
port:
username:
database:
password:
existingSecret:
existingSecretPasswordKey:
And should use Postgresql for Indentity… 
@tech_a - that is if you want to use an existing Postgres database, rather than deploying a new one. By default the Helm charts deploy a Postgres database for Identity.
This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.