Migration of Users, Groups, and Authorization from Camunda 7 to Keycloak / Identity

Hello everyone,

I am currently using Camunda 7 with LDAP for authentication. In my setup, LDAP handles user authentication, and then I store the user in Camunda and assign them to the appropriate groups (created within Camunda).

As I prepare to migrate to Camunda 8, I understand that Keycloak is recommended for identity and access management. My question is: how can I migrate my existing users, groups, and authorizations from my current setup to Keycloak / Identity?

Specifically, I would like to know the best practices or steps to transfer my user data, group memberships, and authorization policies to ensure a seamless transition.

Thanks in advance for your guidance!

@nfahem , According to the official Camunda 8 Identity migration docs:

Users, groups, memberships

• Camunda 8 does NOT migrate internally managed users, groups, or memberships from Camunda 7.

Recommended approach: Manage users and groups in your Identity Provider (Keycloak, Azure AD, etc.).

This means:

• Your existing LDAP‑synced users must be migrated to Keycloak (if you choose Keycloak).

• Group memberships must also be recreated or synced inside Keycloak.

Authorizations (permissions)

• Only some authorization types migrate.

• GRANT authorizations migrate.

• REVOKE and GLOBAL authorizations “will not be migrated”.