Integrating Organization Directory for Users but Managing Groups Locally in Camunda 7 (Spring Project)

reddyn564 · May 19, 2025, 6:32am

Hi everyone,

I’m new to Camunda and currently working on migrating our workflow system from jBPM to Camunda 7, using a Spring-based project.

In our setup, we use our organization’s directory (e.g., LDAP Directory) for managing user entitlements. I would like to sync users from our organization directory into Camunda, but at the same time, I want to manage groups locally within Camunda — meaning that the groups I create in Camunda should not be synced or overridden by the organization directory.

Is this kind of setup possible in Camunda 7? If so, could you please guide me on how to configure this properly in a Spring application?

rohwerj · May 19, 2025, 8:06am

Hi @reddyn564 and welcome.

This is not supported out of the box, but you can implement that yourself using the IdentityProvider interface.
See here for documentation:

And e.g. the OAuth2IdentityProvider already implements the db identity provider as a fallback:

github.com

camunda/camunda-bpm-platform/blob/7b5c8cd119017215a5ff93caea814ea24a9359da/spring-boot-starter/starter-security/src/main/java/org/camunda/bpm/spring/boot/starter/security/oauth2/impl/OAuth2IdentityProvider.java

/*
 * Copyright Camunda Services GmbH and/or licensed to Camunda Services GmbH
 * under one or more contributor license agreements. See the NOTICE file
 * distributed with this work for additional information regarding copyright
 * ownership. Camunda licenses this file to you under the Apache License,
 * Version 2.0; you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
package org.camunda.bpm.spring.boot.starter.security.oauth2.impl;

import org.camunda.bpm.engine.identity.Group;
import org.camunda.bpm.engine.identity.GroupQuery;

This file has been truncated. show original

reddyn564 · June 2, 2025, 6:46pm

Hi Camunda Team,
I’m currently trying out the solution mentioned above. Looking ahead, if we plan to migrate to Camunda 8 in the near future, could you please confirm whether this feature is also available there?

Thank you!

rohwerj · June 2, 2025, 7:12pm

Hi @reddyn564.

In Camunda8 the identity component takes care of authentication and authorization.

As such it’s based on an OIDC flow for authentication and can e.g. connect to a keycloak instance (or another OIDC provider).

system · August 31, 2025, 7:13pm

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.