Problem: Camunda 8.5 Self-Managed Integration with Azure Intra Id without Keycloak

Community Community Feedback
1

For the XX project “Proof of Concept Camunda 8.5,” we are attempting to create a prototype that demonstrates the integration of Camunda Identity with Azure Intra Id without using Keycloak.

I started with minimal setup and only initiated the Identity Service in Camunda Compose, as it is independent of other services. I configured it exactly as described in the documentation Connect to an OpenID Connect provider | Camunda 8 Docs, but without Keycloak.

After starting Docker Compose, I see in the log that the following profile is active: “keycloak,” and that the Identity Service is waiting for a connection to Keycloak, even though we are not using Keycloak.

Can you assist us with this?

Below are the logs and the Docker Compose configuration:
version: ‘3.8’

services:
  identity:
    image: camunda/identity:${CAMUNDA_PLATFORM_VERSION}
    ports:
      - "8084:8084"
    environment:
      CAMUNDA_IDENTITY_TYPE: "MICROSOFT"
      CAMUNDA_IDENTITY_BASE_URL: http://${HOST}:8084
      CAMUNDA_IDENTITY_ISSUER: https://login.microsoftonline.com/${TENANT_ID}/v2.0
      CAMUNDA_IDENTITY_ISSUER_BACKEND_URL: https://login.microsoftonline.com/${TENANT_ID}/v2.0
      CAMUNDA_IDENTITY_CLIENT_ID: ${AZURE_AD_CLIENT_ID}
      CAMUNDA_IDENTITY_CLIENT_SECRET: ${AZURE_AD_CLIENT_SECRET}
      CAMUNDA_IDENTITY_AUDIENCE: ${AZURE_AD_CLIENT_ID}
      CAMUNDA_IDENTITY_INITIAL_CLAIM_NAME: oid
      CAMUNDA_IDENTITY_INITIAL_CLAIM_VALUE: "openid profile email"
      IDENTITY_AUTH_PROVIDER_GROUP_CLAIM: "groups"
      #IDENTITY_KEYCLOAK_ENABLED: false
      #SPRING_PROFILES_ACTIVE: "default"
    volumes:
      - ./keystore.jks:/etc/ssl/keystore.jks
    networks:
      - camunda-platform
      - identity-network

networks:
  camunda-platform:
    name: camunda-platform
  identity-network:
    name: identity-network

logs:

Last login: Thu Jul 25 13:01:42 2024 from 91.67.58.145
driss@ca-intra:~$ cd ssl-intraId/
driss@ca-intra:~/ssl-intraId$ docker ps
CONTAINER ID   IMAGE     COMMAND   CREATED   STATUS    PORTS     NAMES
driss@ca-intra:~/ssl-intraId$ docker compose up --build
WARN[0000] /home/driss/ssl-intraId/docker-compose.yaml: the attribute `version` is obsolete, it will be ignored, please remove it to avoid potential confusion
WARN[0000] Found orphan containers ([postgres]) for this project. If you removed or renamed this service in your compose file, you can run this command with the --remove-orphans flag to clean it up.
[+] Running 1/1
 ✔ Container ssl-intraid-identity-1  Recreated                                                                                                                                0.2s
Attaching to identity-1
identity-1  | Standard Commons Logging discovery in action with spring-jcl: please remove commons-logging.jar from classpath in order to avoid potential conflicts
identity-1  | SLF4J(W): Class path contains multiple SLF4J providers.
identity-1  | SLF4J(W): Found provider [ch.qos.logback.classic.spi.LogbackServiceProvider@7d9d1a19]
identity-1  | SLF4J(W): Found provider [org.apache.logging.slf4j.SLF4JServiceProvider@39c0f4a]
identity-1  | SLF4J(W): See https://www.slf4j.org/codes.html#multiple_bindings for an explanation.
identity-1  | SLF4J(I): Actual provider is of type [ch.qos.logback.classic.spi.LogbackServiceProvider@7d9d1a19]
identity-1  |
identity-1  |   .   ____          _            __ _ _
identity-1  |  /\\ / ___'_ __ _ _(_)_ __  __ _ \ \ \ \
identity-1  | ( ( )\___ | '_ | '_| | '_ \/ _` | \ \ \ \
identity-1  |  \\/  ___)| |_)| | | | | || (_| |  ) ) ) )
identity-1  |   '  |____| .__|_| |_|_| |_\__, | / / / /
identity-1  |  =========|_|==============|___/=/_/_/_/
identity-1  |  :: Spring Boot ::                (v3.1.9)
identity-1  |
identity-1  | 2024-07-26T09:46:53.928Z  INFO 1 --- [           main] io.camunda.identity.Application          : Starting Application using Java 17.0.10 with PID 1 (/app/identity.jar started by camunda in /app)
identity-1  | 2024-07-26T09:46:53.933Z  INFO 1 --- [           main] io.camunda.identity.Application          : The following 1 profile is active: "keycloak"
identity-1  | 2024-07-26T09:46:57.627Z  INFO 1 --- [           main] trationDelegate$BeanPostProcessorChecker : Bean 'globalMethodSecurityConfig' of type [io.camunda.identity.security.config.GlobalMethodSecurityConfig$$SpringCGLIB$$0] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying)
identity-1  | 2024-07-26T09:46:58.494Z  INFO 1 --- [           main] o.s.b.w.embedded.tomcat.TomcatWebServer  : Tomcat initialized with port(s): 8444 (https)
identity-1  | 2024-07-26T09:46:58.514Z  INFO 1 --- [           main] o.apache.catalina.core.StandardService   : Starting service [Tomcat]
identity-1  | 2024-07-26T09:46:58.515Z  INFO 1 --- [           main] o.apache.catalina.core.StandardEngine    : Starting Servlet engine: [Apache Tomcat/10.1.19]
identity-1  | 2024-07-26T09:46:58.623Z  INFO 1 --- [           main] o.a.c.c.C.[Tomcat].[localhost].[/]       : Initializing Spring embedded WebApplicationContext
identity-1  | 2024-07-26T09:46:58.625Z  INFO 1 --- [           main] w.s.c.ServletWebServerApplicationContext : Root WebApplicationContext: initialization completed in 4139 ms
identity-1  | Standard Commons Logging discovery in action with spring-jcl: please remove commons-logging.jar from classpath in order to avoid potential conflicts
identity-1  | 2024-07-26T09:46:58.795Z  WARN 1 --- [           main] ocalVariableTableParameterNameDiscoverer : Using deprecated '-debug' fallback for parameter name resolution. Compile the affected code with '-parameters' instead or avoid its introspection: io.camunda.identity.config.IdentityCommon
identity-1  | 2024-07-26T09:46:58.876Z  WARN 1 --- [           main] ocalVariableTableParameterNameDiscoverer : Using deprecated '-debug' fallback for parameter name resolution. Compile the affected code with '-parameters' instead or avoid its introspection: io.camunda.identity.security.spring.filter.FilterExceptionHandler
identity-1  | 2024-07-26T09:46:59.306Z  WARN 1 --- [           main] ocalVariableTableParameterNameDiscoverer : Using deprecated '-debug' fallback for parameter name resolution. Compile the affected code with '-parameters' instead or avoid its introspection: io.camunda.identity.impl.keycloak.config.record.KeycloakClient
identity-1  | 2024-07-26T09:47:00.589Z  INFO 1 --- [           main] o.s.b.a.w.s.WelcomePageHandlerMapping    : Adding welcome page: class path resource [static/index.html]
identity-1  | 2024-07-26T09:47:00.895Z  INFO 1 --- [           main] o.s.s.web.DefaultSecurityFilterChain     : Will secure any request with [org.springframework.security.web.session.DisableEncodeUrlFilter@61bfc9bf, org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@2c7106d9, org.springframework.security.web.context.SecurityContextHolderFilter@4012d5bc, org.springframework.security.web.header.HeaderWriterFilter@4a2929a4, org.springframework.web.filter.CorsFilter@329bad59, io.camunda.identity.security.spring.filter.FilterExceptionHandler@4e73b552, org.springframework.security.web.authentication.logout.LogoutFilter@37045b48, io.camunda.identity.impl.sm.security.spring.filter.SmJwtFilter@6a0cbc6f, org.springframework.security.web.savedrequest.RequestCacheAwareFilter@1cf0cacc, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@4f5b08d, org.springframework.security.web.authentication.AnonymousAuthenticationFilter@862f408, org.springframework.security.web.access.ExceptionTranslationFilter@446626a7, org.springframework.security.web.access.intercept.AuthorizationFilter@4527f70a]
identity-1  | 2024-07-26T09:47:01.479Z  INFO 1 --- [           main] o.a.t.util.net.NioEndpoint.certificate   : Connector [https-jsse-nio-8444], TLS virtual host [_default_], certificate type [UNDEFINED] configured from keystore [/app/.keystore] using alias [tomcat] with trust store [null]
identity-1  | 2024-07-26T09:47:01.501Z  INFO 1 --- [           main] o.s.b.w.embedded.tomcat.TomcatWebServer  : Tomcat started on port(s): 8444 (https) with context path ''
identity-1  | 2024-07-26T09:47:01.615Z  INFO 1 --- [           main] o.s.b.w.embedded.tomcat.TomcatWebServer  : Tomcat initialized with port(s): 8082 (https)
identity-1  | 2024-07-26T09:47:01.617Z  INFO 1 --- [           main] o.apache.catalina.core.StandardService   : Starting service [Tomcat]
identity-1  | 2024-07-26T09:47:01.617Z  INFO 1 --- [           main] o.apache.catalina.core.StandardEngine    : Starting Servlet engine: [Apache Tomcat/10.1.19]
identity-1  | 2024-07-26T09:47:01.620Z  INFO 1 --- [           main] o.a.c.c.C.[Tomcat-1].[localhost].[/]     : Initializing Spring embedded WebApplicationContext
identity-1  | 2024-07-26T09:47:01.620Z  INFO 1 --- [           main] w.s.c.ServletWebServerApplicationContext : Root WebApplicationContext: initialization completed in 114 ms
identity-1  | Standard Commons Logging discovery in action with spring-jcl: please remove commons-logging.jar from classpath in order to avoid potential conflicts
identity-1  | 2024-07-26T09:47:01.638Z  INFO 1 --- [           main] o.s.b.a.e.web.EndpointLinksResolver      : Exposing 2 endpoint(s) beneath base path '/actuator'
identity-1  | 2024-07-26T09:47:01.709Z  INFO 1 --- [           main] o.a.t.util.net.NioEndpoint.certificate   : Connector [https-jsse-nio-8082], TLS virtual host [_default_], certificate type [UNDEFINED] configured from keystore [/app/.keystore] using alias [tomcat] with trust store [null]
identity-1  | 2024-07-26T09:47:01.738Z  INFO 1 --- [           main] o.s.b.w.embedded.tomcat.TomcatWebServer  : Tomcat started on port(s): 8082 (https) with context path ''
identity-1  | 2024-07-26T09:47:01.758Z  INFO 1 --- [           main] io.camunda.identity.Application          : Started Application in 8.89 seconds (process running for 11.75)
identity-1  | 2024-07-26T09:47:01.961Z ERROR 1 --- [           main] i.c.i.i.k.config.KeycloakConfiguration   : Failure #1. Unable to connect to Keycloak.
identity-1  | 2024-07-26T09:47:31.963Z  WARN 1 --- [           main] i.c.i.i.k.config.KeycloakConfiguration   : Retrying...
identity-1  | 2024-07-26T09:47:31.966Z ERROR 1 --- [           main] i.c.i.i.k.config.KeycloakConfiguration   : Failure #2. Unable to connect to Keycloak.
identity-1  | 2024-07-26T09:48:01.966Z  WARN 1 --- [           main] i.c.i.i.k.config.KeycloakConfiguration   : Retrying...
identity-1  | 2024-07-26T09:48:01.970Z ERROR 1 --- [           main] i.c.i.i.k.config.KeycloakConfiguration   : Failure #3. Unable to connect to Keycloak.
^CGracefully stopping... (press Ctrl+C again to force)

and when i use the default profile here is the log:


time="2024-08-01T09:43:59+02:00" level=warning msg="C:\\Users\\NajihDriss\\Desktop\\ca-ssl-intra\\camunda local\\docker-compose.yaml: `version` is obsolete"
[+] Running 3/3
 ✔ Network identity-network           Created                                                                      0.0s
 ✔ Network camunda-platform           Created                                                                      0.0s
 ✔ Container camundalocal-identity-1  Created                                                                      0.1s
Attaching to identity-1
identity-1  | Standard Commons Logging discovery in action with spring-jcl: please remove commons-logging.jar from classpath in order to avoid potential conflicts
identity-1  | SLF4J(W): Class path contains multiple SLF4J providers.
identity-1  | SLF4J(W): Found provider [ch.qos.logback.classic.spi.LogbackServiceProvider@7d9d1a19]
identity-1  | SLF4J(W): Found provider [org.apache.logging.slf4j.SLF4JServiceProvider@39c0f4a]
identity-1  | SLF4J(W): See https://www.slf4j.org/codes.html#multiple_bindings for an explanation.
identity-1  | SLF4J(I): Actual provider is of type [ch.qos.logback.classic.spi.LogbackServiceProvider@7d9d1a19]
identity-1  |
identity-1  |   .   ____          _            __ _ _
identity-1  |  /\\ / ___'_ __ _ _(_)_ __  __ _ \ \ \ \
identity-1  | ( ( )\___ | '_ | '_| | '_ \/ _` | \ \ \ \
identity-1  |  \\/  ___)| |_)| | | | | || (_| |  ) ) ) )
identity-1  |   '  |____| .__|_| |_|_| |_\__, | / / / /
identity-1  |  =========|_|==============|___/=/_/_/_/
identity-1  |  :: Spring Boot ::                (v3.1.9)
identity-1  |
identity-1  | 2024-08-01T07:44:02.329Z  INFO 1 --- [           main] io.camunda.identity.Application          : Starting Application using Java 17.0.10 with PID 1 (/app/identity.jar started by camunda in /app)
identity-1  | 2024-08-01T07:44:02.333Z  INFO 1 --- [           main] io.camunda.identity.Application          : The following 1 profile is active: "default"
identity-1  | 2024-08-01T07:44:04.531Z  INFO 1 --- [           main] trationDelegate$BeanPostProcessorChecker : Bean 'globalMethodSecurityConfig' of type [io.camunda.identity.security.config.GlobalMethodSecurityConfig$$SpringCGLIB$$0] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying)
identity-1  | 2024-08-01T07:44:05.005Z  INFO 1 --- [           main] o.s.b.w.embedded.tomcat.TomcatWebServer  : Tomcat initialized with port(s): 8080 (http)
identity-1  | 2024-08-01T07:44:05.021Z  INFO 1 --- [           main] o.apache.catalina.core.StandardService   : Starting service [Tomcat]
identity-1  | 2024-08-01T07:44:05.022Z  INFO 1 --- [           main] o.apache.catalina.core.StandardEngine    : Starting Servlet engine: [Apache Tomcat/10.1.19]
identity-1  | 2024-08-01T07:44:05.143Z  INFO 1 --- [           main] o.a.c.c.C.[Tomcat].[localhost].[/]       : Initializing Spring embedded WebApplicationContext
identity-1  | 2024-08-01T07:44:05.145Z  INFO 1 --- [           main] w.s.c.ServletWebServerApplicationContext : Root WebApplicationContext: initialization completed in 2723 ms
identity-1  | Standard Commons Logging discovery in action with spring-jcl: please remove commons-logging.jar from classpath in order to avoid potential conflicts
identity-1  | 2024-08-01T07:44:05.294Z  WARN 1 --- [           main] ocalVariableTableParameterNameDiscoverer : Using deprecated '-debug' fallback for parameter name resolution. Compile the affected code with '-parameters' instead or avoid its introspection: io.camunda.identity.config.IdentityCommon
identity-1  | 2024-08-01T07:44:05.373Z  WARN 1 --- [           main] ocalVariableTableParameterNameDiscoverer : Using deprecated '-debug' fallback for parameter name resolution. Compile the affected code with '-parameters' instead or avoid its introspection: io.camunda.identity.security.spring.filter.FilterExceptionHandler
identity-1  | 2024-08-01T07:44:05.732Z  WARN 1 --- [           main] ConfigServletWebServerApplicationContext : Exception encountered during context initialization - cancelling refresh attempt: org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'groupController' defined in URL [jar:file:/app/identity.jar!/BOOT-INF/classes!/io/camunda/identity/controller/GroupController.class]: Unsatisfied dependency expressed through constructor parameter 0: No qualifying bean of type 'io.camunda.identity.service.GroupService' available: expected at least 1 bean which qualifies as autowire candidate. Dependency annotations: {}
identity-1  | 2024-08-01T07:44:05.738Z  INFO 1 --- [           main] o.apache.catalina.core.StandardService   : Stopping service [Tomcat]
identity-1  | 2024-08-01T07:44:05.780Z  INFO 1 --- [           main] .s.b.a.l.ConditionEvaluationReportLogger :
identity-1  |
identity-1  | Error starting ApplicationContext. To display the condition evaluation report re-run your application with 'debug' enabled.
identity-1  | 2024-08-01T07:44:05.823Z ERROR 1 --- [           main] o.s.b.d.LoggingFailureAnalysisReporter   :
identity-1  |
identity-1  | ***************************
identity-1  | APPLICATION FAILED TO START
identity-1  | ***************************
identity-1  |
identity-1  | Description:
identity-1  |
identity-1  | Parameter 0 of constructor in io.camunda.identity.controller.GroupController required a bean of type 'io.camunda.identity.service.GroupService' that could not be found.
identity-1  |
identity-1  |
identity-1  | Action:
identity-1  |
identity-1  | Consider defining a bean of type 'io.camunda.identity.service.GroupService' in your configuration.
identity-1  |
identity-1 exited with code 1
2

Hi @Driss_Najih, welcome to the forums! It looks like Identity is starting with the “default” Spring profile; it should be using the “oidc” profile when using your own OIDC provider (rather than Keycloak). Try setting SPRING_PROFILES_ACTIVE="oidc" in your Docker config.

3

Thank you, that helped me. However, after logging in, I get a message that the user is unauthorized. How can I make sure that my user is an admin upon login? I would like to share my docker-compose.yml file here: Can you please help with this?

services:
identity:
image: camunda/identity:${CAMUNDA_PLATFORM_VERSION}
ports:
- “8080:8080”
environment:
IDENTITY_DATABASE_HOST: postgres
IDENTITY_DATABASE_PORT: 5432
IDENTITY_DATABASE_NAME: bitnami_keycloak
IDENTITY_DATABASE_USERNAME: bn_keycloak
IDENTITY_DATABASE_PASSWORD: “XXXXXX”
# intra id config
CAMUNDA_IDENTITY_TYPE: “MICROSOFT”
CAMUNDA_IDENTITY_BASE_URL:
CAMUNDA_IDENTITY_ISSUER_BACKEND_URL: https://login.microsoftonline.com/${TENANT_ID}/v2.0
CAMUNDA_IDENTITY_CLIENT_ID: ${AZURE_AD_CLIENT_ID}
CAMUNDA_IDENTITY_CLIENT_SECRET: ${AZURE_AD_CLIENT_SECRET}
CAMUNDA_IDENTITY_AUDIENCE: ${AZURE_AD_CLIENT_ID}
CAMUNDA_IDENTITY_INITIAL_CLAIM_NAME: oid
CAMUNDA_IDENTITY_INITIAL_CLAIM_VALUE: “openid profile email”
IDENTITY_AUTH_PROVIDER_GROUP_CLAIM: “groups”
#IDENTITY_KEYCLOAK_ENABLED: false
SPRING_PROFILES_ACTIVE: “oidc”
volumes:
- ./keystore.jks:/etc/ssl/keystore.jks
networks:
- camunda-platform
- identity-network

postgres: # https://hub.docker.com/_/postgres
container_name: postgres
image: postgres:${POSTGRES_VERSION}
environment:
POSTGRES_DB: bitnami_keycloak
POSTGRES_USER: bn_keycloak
POSTGRES_PASSWORD: “XXXXXX”
restart: on-failure
healthcheck:
test: [ “CMD-SHELL”, “pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}” ]
interval: 10s
timeout: 5s
retries: 5
volumes:
- postgres:/var/lib/postgresql/data
networks:
- identity-network

networks:
camunda-platform:
name: camunda-platform
identity-network:
name: identity-network

volumes:
postgres:

image
image1912×532 28.3 KB

4

@Driss_Najih - you should check out our mapping rules documentation: Managing mapping rules | Camunda 8 Docs

Specifically, the the first “INFO” callout about initial claims. As noted in the prereqs for configuring Entra ID, you need to configure the initial claim and value for the initial user to have access to Identity.

5

I have so far confirmed my lease in Azure ID and can see my main claims. Here is my Docker Compose configuration, but my user is unauthorized. Can you help me further with this?

services:
  identity:
    image: camunda/identity:${CAMUNDA_PLATFORM_VERSION}
    ports:
      - "8080:8080"
    environment:
      IDENTITY_DATABASE_HOST: postgres
      IDENTITY_DATABASE_PORT: 5432
      IDENTITY_DATABASE_NAME: bitnami_keycloak
      IDENTITY_DATABASE_USERNAME: bn_keycloak
      IDENTITY_DATABASE_PASSWORD: "#3]O?4RGj)DE7Z!9SA5"
      # intra id config
      CAMUNDA_IDENTITY_TYPE: "MICROSOFT"
      CAMUNDA_IDENTITY_BASE_URL: 
      CAMUNDA_IDENTITY_ISSUER: 
      CAMUNDA_IDENTITY_ISSUER_BACKEND_URL:       CAMUNDA_IDENTITY_CLIENT_ID: ${AZURE_AD_CLIENT_ID}
      CAMUNDA_IDENTITY_CLIENT_SECRET: ${AZURE_AD_CLIENT_SECRET}
      CAMUNDA_IDENTITY_AUDIENCE: ${AZURE_AD_CLIENT_ID}
      CAMUNDA_IDENTITY_INITIAL_CLAIM_NAME: oid
      CAMUNDA_IDENTITY_INITIAL_CLAIM_VALUE: "a675fefc-beea-421e-8b37-c145b9011cf3"
      # IDENTITY_AUTH_PROVIDER_GROUP_CLAIM: "groups"
      # CAMUNDA_IDENTITY_INITIAL_CLAIM_NAME: "groups"  # or "roles", depending on your Azure AD configuration
      # CAMUNDA_IDENTITY_INITIAL_CLAIM_VALUE: "1ed02b13-05da-4088-9667-67897fc017c9"  # The specific group ID or role that grants initial access
      #IDENTITY_KEYCLOAK_ENABLED: false
      SPRING_PROFILES_ACTIVE: "oidc"
    volumes:
      - ./keystore.jks:/etc/ssl/keystore.jks
    networks:
      - camunda-platform
      - identity-network

  postgres: 
    container_name: postgres
    image: postgres:${POSTGRES_VERSION}
    ports:
      - "5432:5432"
    environment:
      POSTGRES_DB: bitnami_keycloak
      POSTGRES_USER: bn_keycloak
      POSTGRES_PASSWORD: "#3]O?4RGj)DE7Z!9SA5"
    restart: on-failure
    healthcheck:
      test: [ "CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}" ]
      interval: 10s
      timeout: 5s
      retries: 5
    volumes:
      - postgres:/var/lib/postgresql/data
    networks:
      - identity-network
      - shared-network

networks:
  camunda-platform:
    name: camunda-platform
  identity-network:
    name: identity-network
  shared-network:
    name: shared-network

volumes:
  postgres:
6

@Driss_Najih - did you start fresh after adding the initial claim variables? If not, that’s likely the issue: Identity initialized without those values and isn’t looking for them again. The claims are stored in the Postgres database, so you could connect to that and update it there, then restart Identity; or you can tear down Identity and Postgres, including the volumes, and start fresh.

7

I have deleted the volume of the identity and postgres, and restarted the compose. However, I still get the same “user unauthorized” problem. In which tables in the database should I add the users, oid, and value to initialize them? How can I solve the problem through the database or otherwise, if possible?

8

@Driss_Najih - did you only delete the volumes or did you delete the containers also? If you are tearing it down, I would delete both the containers and the volumes, then re-run docker-compose.

9

I deleted the Docker volumes completely using commands and Docker Desktop. I also deleted the containers using docker-compose down and then restarted them with docker-compose up. However, I still get the same error message.

image
image3838×736 90 KB

here is my docker compose:

services:
  identity:
    image: camunda/identity:${CAMUNDA_PLATFORM_VERSION}
    ports:
      - "8080:8080"
    environment:
      IDENTITY_DATABASE_HOST: postgres
      IDENTITY_DATABASE_PORT: 5432
      IDENTITY_DATABASE_NAME: bitnami_keycloak
      IDENTITY_DATABASE_USERNAME: bn_keycloak
      IDENTITY_DATABASE_PASSWORD: "*****"
      # intra id config
      CAMUNDA_IDENTITY_TYPE: "MICROSOFT"
      CAMUNDA_IDENTITY_BASE_URL: http://${HOST}:8080
      CAMUNDA_IDENTITY_ISSUER: https://login.microsoftonline.com/${TENANT_ID}/v2.0
      CAMUNDA_IDENTITY_ISSUER_BACKEND_URL: https://login.microsoftonline.com/${TENANT_ID}/v2.0
      CAMUNDA_IDENTITY_CLIENT_ID: ${AZURE_AD_CLIENT_ID}
      CAMUNDA_IDENTITY_CLIENT_SECRET: ${AZURE_AD_CLIENT_SECRET}
      CAMUNDA_IDENTITY_AUDIENCE: ${AZURE_AD_CLIENT_ID}
      CAMUNDA_IDENTITY_INITIAL_CLAIM_NAME: "oid"
      CAMUNDA_IDENTITY_INITIAL_CLAIM_VALUE: "a675fefc-beea-421e-8b37-c145b9011cf3"
      # IDENTITY_AUTH_PROVIDER_GROUP_CLAIM: "groups"
      # CAMUNDA_IDENTITY_INITIAL_CLAIM_NAME: "groups"  # or "roles", depending on your Azure AD configuration
      # CAMUNDA_IDENTITY_INITIAL_CLAIM_VALUE: "1ed02b13-05da-4088-9667-67897fc017c9"  # The specific group ID or role that grants initial access
      #IDENTITY_KEYCLOAK_ENABLED: false
      SPRING_PROFILES_ACTIVE: "oidc"
    volumes:
      - ./keystore.jks:/etc/ssl/keystore.jks
    networks:
      - camunda-platform
      - identity-network

  postgres: # https://hub.docker.com/_/postgres
    container_name: postgres
    image: postgres:${POSTGRES_VERSION}
    ports:
      - "5432:5432"
    environment:
      POSTGRES_DB: bitnami_keycloak
      POSTGRES_USER: bn_keycloak
      POSTGRES_PASSWORD: "*****"
    restart: on-failure
    healthcheck:
      test: [ "CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}" ]
      interval: 10s
      timeout: 5s
      retries: 5
    volumes:
      - postgres:/var/lib/postgresql/data
    networks:
      - identity-network
      - shared-network

networks:
  camunda-platform:
    name: camunda-platform
  identity-network:
    name: identity-network
  shared-network:
    name: shared-network

volumes:
  postgres:
10

@Driss_Najih - that’s strange. You can check the Postgres database in the mapping_rules table to see if the claim is there, and if not, add it manually.

11

there is no data in the table mapping_rules i’v insertedt the data like below and get error:
sql: INSERT INTO public.mapping_rules (type, name, claim_name, claim_value, operator)
VALUES (‘identity’, ‘example_name’, ‘calime_type’, ‘91532207-a054-482c-ac92-8c86a2dc616b’, ‘=’);

error: ERROR: Failing row contains (identity, example_name, calime_type, 91532207-a054-482c-ac92-8c86a2dc616b, =).new row for relation “mapping_rules” violates check constraint “mapping_rules_operator_check”

ERROR: new row for relation “mapping_rules” violates check constraint “mapping_rules_operator_check”
SQL state: 23514
Detail: Failing row contains (identity, example_name, calime_type, 91532207-a054-482c-ac92-8c86a2dc616b, =).

12

i found Solution myself, Unfortunately, your support team can’t help further—very poor

13

Hi @Driss_Najih - this isn’t an official support channel, this is a community forum. Did you open a ticket with our support team?

For the benefit of the rest of the community, could you share the solution here in case someone else encounters the same issue?