How to Access Identity UI in Camunda 8.8 (Identity vs Management Identity)

Camunda 8 Topics Discussion & Questions
1

Hi everyone,

I am currently building a Camunda 8.8 environment using Docker containers.
Our setup includes:

  • Orchestration (Zeebe + Operate + Tasklist bundled)

  • Identity

  • Keycloak

  • PostgreSQL

  • Elasticsearch

Camunda version: 8.8
Authentication method: OIDC
(We intend to use Keycloak only for user authentication, while groups/roles/permissions will be managed in Camunda Identity.)

About Identity and Management Identity in Camunda 8.8

According to the official documentation:
“What’s new in Camunda 8.8”
https://docs.camunda.io/docs/reference/announcements-release-notes/880/whats-new-in-88/#identity-and-management-identity

It seems that Camunda 8.8 introduced two modes:

  1. Identity
    → Used for permission management related to Orchestration components (Operate, Tasklist, Zeebe).

  2. Management Identity
    → Used for Web Modeler, Console, Optimize, and other management-level permissions.

If my understanding is incorrect, please correct me.

My Questions

1. How are these two modes supposed to be used?

Is there a recommended or official way to choose between Identity vs Management Identity?

2. What are the correct access URLs for each?

Currently, when I open:

http://[IP]:8084

it always displays the Management Identity UI.

But I want to access the Identity UI to configure permissions for Orchestration.

How can I access the Orchestration-focused Identity UI in version 8.8?

Container Status

# docker ps
CONTAINER ID   IMAGE                 COMMAND                   CREATED          STATUS                    PORTS
5539e7c23f34   identity_image        "java -jar identity.…"   4 minutes ago    Up 4 minutes (healthy)    0.0.0.0:8084->8084/tcp
3164536d86ac   orchestration_image   "tini -- /usr/local/…"   38 minutes ago   Up 37 minutes (healthy)   0.0.0.0:8088->8080/tcp
3b5095565e07   elasticsearch_image   "/bin/tini -- /usr/l…"   38 minutes ago   Up 38 minutes (healthy)   0.0.0.0:9200->9200/tcp
724df24fc04a   keycloak_image        "/opt/bitnami/script…"   58 minutes ago   Up 58 minutes (healthy)   0.0.0.0:18080->18080/tcp
2719996fcd79   postgres_image        "docker-entrypoint.s…"   58 minutes ago   Up 58 minutes (healthy)   5432/tcp

Any clarification would be greatly appreciated.
Thank you in advance!

2

Hi,

If you don’t run any of the management components (Web Modeler, Console, Optimize), then you don’t need to run Management Identity. Management Identity is not required for running the Orchestration Cluster. It does some setup of the Keycloak realm and OIDC clients, depending on your config, but you can also do that manually or writing your own script.

The other Identity aka Orchestration Cluster Identity is directly included in the Orchestration Cluster deployment. You can access it from your browser via <base url of OC>/identity, so http://localhost:8080/identity in a standard local setup.

Cheers,
Thorben

3

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.