How to disable automatic creation of the camunda-platform realm in Camunda Identity and force usage of external realm qportal?

Nayuovga · July 14, 2025, 12:17pm

I’m integrating Camunda Identity with an external Keycloak instance, where I already have a custom realm (qportal) configured with all necessary resources. My environment includes:
IDENTITY_KEYCLOAK_REALM=qportal
IDENTITY_KEYCLOAK_CREATE_REALM=false
CAMUNDA_IDENTITY_TYPE=KEYCLOAK
IDENTITY_AUTH_PROVIDER_ISSUER_URL=https://keycloak-dev.att/keycloak/realms/qportal
IDENTITY_AUTH_PROVIDER_BACKEND_URL=https://keycloak-dev.att/keycloak/realms/qportal
IDENTITY_AUTH_PROVIDER_CLIENT_ID=camunda-identity
IDENTITY_AUTH_PROVIDER_CLIENT_SECRET=client-secret

Despite these settings, Identity still attempts to use the default realm camunda-platform. If I pre-create the camunda-identity client in qportal, Identity throws a 409 Conflict. If I remove the client, I get a 401 Unauthorized, indicating it may not actually be pointing to qportal as expected.
Reviewing the container setup, it seems the realm creation logic is hard-coded into the identity.jar. Is there any official way to prevent Identity from auto-creating the default realm and resources, and ensure it strictly uses the external realm I provide?

nathan.loding · July 14, 2025, 3:12pm

Hi @Nayuovga, welcome to the forums! What version of Camunda are you using? And how have you deployed it? (Helm, Docker, C8 Run, etc.)

Nayuovga · July 14, 2025, 3:17pm

Hi, thanks for your reply.
I’m using Camunda 8, version 8.8.0-alpha6, deployed via Docker Compose, along with an external Keycloak.

nathan.loding · July 14, 2025, 4:06pm

@Nayuovga - can you share your docker-compose.yaml file? (with any secrets redacted, of course!)

Nayuovga · July 15, 2025, 9:34pm

identity:
    container_name: identity
    image: camunda/identity:${CAMUNDA_IDENTITY_VERSION}
    ports:
      - "8084:8084"
    environment:
      - SERVER_PORT=8084
      - IDENTITY_URL=https://my-host/identity
      - IDENTITY_RETRY_DELAY_SECONDS=30
      - KEYCLOAK_URL=https://my-keycloak/keycloak      
      - IDENTITY_AUTH_PROVIDER_ISSUER_URL=https://my-keycloak/keycloak/realms/qportal
      - IDENTITY_AUTH_PROVIDER_BACKEND_URL=https://my-keycloak/keycloak/realms/qportal
      - IDENTITY_AUTH_PROVIDER_CLIENT_ID=camunda-identity
      - IDENTITY_AUTH_PROVIDER_CLIENT_SECRET=my-secret
      - IDENTITY_KEYCLOAK_REALM=qportal      
      - CAMUNDA_IDENTITY_TYPE=KEYCLOAK
      
      - LOGGING_LEVEL_ROOT=DEBUG
      - LOGGING_LEVEL_IO_CAMUNDA_IDENTITY=DEBUG
      - SPRING_LOGGING_LEVEL_ORG_APACHE_HTTP=TRACE
      - SPRING_LOGGING_LEVEL_ORG_SPRINGFRAMEWORK_WEB_CLIENT=TRACE
      - SPRING_LOGGING_LEVEL_ORG_SPRINGFRAMEWORK_WEB_CLIENT_REACTIVE=DEBUG
      - SPRING_LOGGING_LEVEL_ORG_SPRINGFRAMEWORK_SECURITY_OAUTH2=DEBUG
      - SERVER_LOGGING_LEVEL=TRACE
      - logging.level.org.springframework.web.client.RestTemplate=DEBUG
      - logging.level.org.apache.http=DEBUG
      
      - "JAVA_TOOL_OPTIONS=-Djavax.net.ssl.trustStore=/opt/truststore.jks -Djavax.net.ssl.trustStorePassword=changeit -Djavax.net.debug=ssl -Dlogging.level.io.camunda=DEBUG"
      - SPRING_WEB_FORWARD-HEADERS-STRATEGY=native
      
      - CAMUNDA_IDENTITY_SSO_SINGLE_SIGN_OUT_ENABLED="true"      
      - MULTITENANCY_ENABLED=${MULTI_TENANCY_ENABLED}
      - RESOURCE_PERMISSIONS_ENABLED=${RESOURCE_AUTHORIZATIONS_ENABLED}
    restart: on-failure
    volumes:
      - ./truststore.jks:/opt/truststore.jks
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.identity.tls=true"
      - "traefik.http.routers.identity.service=identity"
      - "traefik.http.services.identity.loadbalancer.server.port=8084"
      - "traefik.http.routers.identity.rule=PathPrefix(`/identity`)"
      - "traefik.http.middlewares.identity-midl.stripprefix.prefixes=/identity"
      - "traefik.http.middlewares.identity-midl.stripprefix.forceSlash=False"
      - "traefik.http.routers.identity.middlewares=identity-midl"
    networks:
      - peering-dev
      - camunda-platform

nathan.loding · July 17, 2025, 3:00pm

Hi @Nayuovga - thanks for sharing the config. We noticed a couple things:

the IDENTITY_KEYCLOAK_REALM variable is incorrectly named; it should be KEYCLOAK_REALM (see step #12 here)
the IDENTITY_KEYCLOAK_CREATE_REALM variable is not supported

I suspect that if you rename that variable, it should work.

system · October 15, 2025, 3:00pm

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.