With the upcoming release of Camunda 8.7, we’re excited to present a range of significant enhancements to the Identity service, designed to deliver greater flexibility, control, and security for both Self-Managed and SaaS users. These updates are part of our broader effort to streamline the platform’s architecture, as discussed in our previous blog post on simplified deployment options and an accelerated getting-started experience.
In short, Camunda 8.7 brings these key changes to identity management:
- Cluster-level identity management
- Decoupling from Keycloak
- New resource-based permissions
- Enhanced REST API endpoints
These architectural adjustments in Camunda 8.7 offer several clear benefits:
- Flexibility: Camunda 8.7 will offer limited built-in user management functionality, eliminating the need to run Keycloak. Users requiring a more feature-rich identity provider can seamlessly integrate their own identity provider (IdP) through OpenID Connect (OIDC).
- Enhanced control: With identity and user groups managed within each cluster, organizations gain more precise control over user access.
- Security: The principle of least privilege ensures that access is tightly controlled, reducing the risk of unauthorized actions.
- Granularity: Resource-level permissions provide a level of customization that enables you to fine-tune access at every level.
Key changes in Camunda 8.7 Self-Managed
Camunda 8.7 introduces significant advancements to streamline installation, configuration, identity management, and REST API capabilities, further enhancing user flexibility and control.
Removing Keycloak
A notable change is the removal of the built-in Keycloak integration, which grants users more freedom in selecting their preferred IdP. While Keycloak is still fully supported as an external option, Camunda 8.7 enables users to integrate any compatible IdP, providing greater customization and alignment with organizational standards. OIDC remains the standard for seamless integration with chosen providers.
No requirement for relational database
Beyond rethinking identity management, Camunda 8.7 simplifies installation by removing the requirement for a relational database in single orchestration clusters, reducing complexity and making the setup more user-friendly. Identity settings are now configured at the orchestration cluster level, allowing each cluster to have unique OIDC configurations.
This cluster-specific setup empowers organizations to assign different IdPs across clusters, offering improved control over permissions and user group mappings, resulting in a more streamlined and efficient configuration experience.
New identity-focused endpoints
Camunda 8.7 introduces new identity-focused endpoints within the Camunda 8 REST API, providing enhanced query capabilities for managing process entities, such as processes, decisions, user tasks, and forms. This marks the beginning of a shift from component-specific APIs (like Tasklist and Operate) to unified, centralized queries.
The Identity API endpoints enable managing users and permissions within orchestration clusters, supporting resource-based authorizations for fine-grained access control. This approach strengthens control over resource access, building a secure, scalable foundation for customizable workflows across various organizational needs.
Embracing the principle of least privilege
Camunda 8.7 also introduces a stricter adherence to the principle of least privilege, a core security practice. When authorization is enabled, users do not have default access to applications like Tasklist and Operate, or to any resources. Permissions must be explicitly granted, ensuring that users only have access to what is necessary.
We’re also introducing resource-level permissions, applying to process definitions and web applications. Admin users will continue to have full access, but regular users will need to be granted specific permissions to perform actions or view resources. For organizations that build custom frontends and access Camunda via API, users with API permissions can still access process data through the V2 API.
Managing identity in SaaS
For our SaaS customers, identity management in Camunda 8.7 remains consistent with Camunda 8.6, allowing the attachment of a single IdP per organization. However, we are extending cluster-level identity capabilities to SaaS as well. This means that user groups, roles, and access permissions can now be managed at the cluster level, giving SaaS customers the same granular access control as in Self-Managed environments.
Conclusion: Elevating identity management
Camunda 8.7 marks a major step forward in our Identity service. By moving to a more flexible architecture and offering deeper control at the cluster level, we’re enabling our users to better manage their identity and access needs. Whether you’re in a Self-Managed environment or utilizing our SaaS offering, the upcoming release ensures a smoother, more secure experience for all users.
Stay tuned for the official release, and get ready to take advantage of these new features!
Start the discussion at forum.camunda.io