OIDC Authentication: Is it possible to grant permissions to Keycloak users from the Identity UI?

We are currently conducting functional tests of Camunda in preparation for a commercial deployment.

Our environment is based on Docker containers and includes:

• Orchestration (Zeebe, Operate, Tasklist, Identity bundled)

• Keycloak

• PostgreSQL

• Elasticsearch

Camunda version: 8.8

Our plan is to use the OIDC authentication method, meaning user authentication will be handled by Keycloak, while group and role management will be handled by Camunda Identity.

As I understand it, with OIDC authentication, once the user is authenticated via Keycloak, Keycloak is no longer involved. Therefore, I assume that the Identity UI cannot reference Keycloak users.

However, is it possible to view Keycloak users in the Identity UI and assign permissions to them?

Hi @camundaman12345

Camunda identity is not tightly coupled with the identity provider.

Users and groups are handled as simple strings when creating resource authorizations.

Claims from the access token are used to identify the user’s username, and (optionally) groups for easier assignment and management

Find below how to bring groups to be available for role and authorization assignment, and tenant assignment.

https://docs.camunda.io/docs/self-managed/components/orchestration-cluster/identity/connect-external-identity-provider/#optional-step-8-configure-bring-your-own-groups

Below how to use mapping rules for more advanced scenarios

https://docs.camunda.io/docs/self-managed/components/orchestration-cluster/identity/connect-external-identity-provider/#optional-step-9-mapping-rules

And below how to create and manage your Orchestration Cluster authorizations

https://docs.camunda.io/docs/components/identity/authorization/

Thank you for your response. I will close

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.