[keycloak-dev] management problems

Stian Thorgersen stian at redhat.com
Thu May 1 10:16:19 EDT 2014 


----- Original Message -----
> From: "Bill Burke" <bburke at redhat.com>
> To: "Stian Thorgersen" <stian at redhat.com>
> Cc: keycloak-dev at lists.jboss.org
> Sent: Thursday, 1 May, 2014 3:11:48 PM
> Subject: Re: [keycloak-dev] management problems
> 
> 
> 
> On 5/1/2014 9:30 AM, Stian Thorgersen wrote:
> > I'm wondering about what issues there are with having a single shared admin
> > realm though. That seems the optional solution to me.
> >
> 
> Isn't the issue multi-tenancy?

We can grant admin users access to manage only specific realms though?

Or are you thinking multi-tenancy for AeroGear?

> 
> > Thinking about the unified console project that Thomas is in charge off it
> > should be possible to login to have SSO to all admin consoles. For example
> > SSO across EAP, Keycloak, AeroGear, consoles.
> >
> > ----- Original Message -----
> >> From: "Stian Thorgersen" <stian at redhat.com>
> >> To: "Bill Burke" <bburke at redhat.com>
> >> Cc: keycloak-dev at lists.jboss.org
> >> Sent: Thursday, 1 May, 2014 2:13:11 PM
> >> Subject: Re: [keycloak-dev] management problems
> >>
> >>
> >>
> >> ----- Original Message -----
> >>> From: "Bill Burke" <bburke at redhat.com>
> >>> To: "Stian Thorgersen" <stian at redhat.com>
> >>> Cc: keycloak-dev at lists.jboss.org
> >>> Sent: Thursday, 1 May, 2014 2:08:17 PM
> >>> Subject: Re: [keycloak-dev] management problems
> >>>
> >>> cross-realm user doesn't solve the problem of having an integrated admin
> >>> experience for apps like Aerogear UPS.
> >>
> >> I know - not really related, just popped into my head while reading your
> >> mail
> >>
> >>>
> >>> On 5/1/2014 5:23 AM, Stian Thorgersen wrote:
> >>>> What are the downsides of having a "shared" admin realm?
> >>>>
> >>>> We can fine-grained access control, so individual admins/users can be
> >>>> limited to only manage certain realms (or none at all).
> >>>>
> >>>> Another related thing is I wonder if we could share users (and maybe
> >>>> even
> >>>> do sso) cross realms? I can imagine situations where people wants
> >>>> multiple
> >>>> realms to manage token settings, social settings, applications, etc, but
> >>>> still want to let users have a single account, instead of one per-realm.
> >>>> We already support authenticating users with a different realm, but I
> >>>> was
> >>>> wondering if we could make it a more integrated feature, as well as
> >>>> support sso.
> >>>>
> >>>> ----- Original Message -----
> >>>>> From: "Bill Burke" <bburke at redhat.com>
> >>>>> To: keycloak-dev at lists.jboss.org
> >>>>> Sent: Thursday, 1 May, 2014 3:37:46 AM
> >>>>> Subject: [keycloak-dev] management problems
> >>>>>
> >>>>> Our current "master realm" structure/design is deficient.  Consider an
> >>>>> application like UPS that wants to use Keycloak to manage users.  This
> >>>>> application would also have its own management console whose security
> >>>>> is
> >>>>> also managed by keycloak.
> >>>>>
> >>>>> My first thought is that you could define the application's management
> >>>>> console as an application in the "master" keycloak realm.  This
> >>>>> solution
> >>>>> isn't a great one if the keycloak server is managing multiple realms.
> >>>>> So, IMO not something we should recommend.
> >>>>>
> >>>>> Another option is to define admin roles within the application's realm
> >>>>> itself.  These roles are assignable to users within the realm.  This
> >>>>> would require rethinking of the Angular JS admin console and how things
> >>>>> are authenticated and how people log-in.  We should probably treat this
> >>>>> as SSO and have individual applications within the application realm,
> >>>>> for example:
> >>>>>
> >>>>> UPS Realm registered applications:
> >>>>>
> >>>>> realm-management (keycloak admin console)
> >>>>> aerogear-ups-management (ups admin console)
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>> --
> >>>>> Bill Burke
> >>>>> JBoss, a division of Red Hat
> >>>>> http://bill.burkecentral.com
> >>>>> _______________________________________________
> >>>>> keycloak-dev mailing list
> >>>>> keycloak-dev at lists.jboss.org
> >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >>>>>
> >>>
> >>> --
> >>> Bill Burke
> >>> JBoss, a division of Red Hat
> >>> http://bill.burkecentral.com
> >>>
> >> _______________________________________________
> >> keycloak-dev mailing list
> >> keycloak-dev at lists.jboss.org
> >> https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >>
> 
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
>

More information about the keycloak-dev mailing list