[keycloak-dev] RFC: organizations
Juraci Paixão Kröhling
juraci at kroehling.de
Tue Jul 28 02:12:14 EDT 2015
Scott,
On 07/28/2015 04:12 AM, Scott Rehorn wrote:
> Proposal: introduce a new entity called "organizations" to provide a
> means of delivering specific claim values to authenticated users known
> in that organization
>
> Rationale: in our group at Dell Software, we have to support the notion
> of tenancy within a single realm, but we are trying to avoid the term
> ‘tenant’ as it’s too overloaded. Our typical use case is to use
> Keycloak+our extensions as an external system which acts as identity
> broker for a constrained set of IdPs and claims authority for users. If
> we use realm-per-organization, then we wind up with a large set of
> repeated IdP configurations. By introducing an entity for
> “organizations” then we have a centralized place to store metadata for
> users and related client/RP instances.
We have a *very* similar use case and we have implemented the notion of
"Organizations" (and "Personas") in Hawkular, in a module named
"Hawkular Accounts". In our case, an user can belong to multiple
organizations, and can have different roles within each organization
("Super User" in "Operations", but "Monitor" on "Marketing").
If our use cases converge, I think we should work together on this.
Our code is currently located here and includes some documentation about
how it works and what's our use case:
https://github.com/hawkular/hawkular-accounts
- Juca.
More information about the keycloak-dev
mailing list