[keycloak-dev] Realm templates
Thomas Raehalme
thomas.raehalme at aitiofinland.com
Wed May 18 08:52:42 EDT 2016
On Wed, May 18, 2016 at 3:04 PM, Stian Thorgersen <sthorger at redhat.com>
wrote:
> Having links between realms like this is not great. It shouldn't matter if
> two realms are on the same server or on different servers. In fact in a
> SaaS environment you should most likely not have many tenants on a single
> server and rather shard it.
>
By sharding do you mean that the environment should have multiple
independent Keycloak instances/clusters to which tenants are distributed?
It would also be a fairly tedious thing to implement. Realms would need
> some inheritance, then there's the admin console to worry about. At the
> moment there's not even a "shared" place for multiple realms, so no logical
> place to create/edit realm templates.
>
Oh I never presumed this would be easy task to do :-)
> Another thing is that in the future we plan to remove master realm concept
> completely. Instead we'll have a trusted realm option that will use
> identity brokering behind the covers. The idea is that a single admin can
> manage multiple realms independently on what servers the realm are located
> on. This would mean that an admin in reality can only manage a single
> realm, but automatically authenticate to other realms to manage those as
> well without re-authentication. There would be no cross-realm permissions
> though, so no "master" realm admin that can manage realm templates.
>
Do you mean that in the future the current master realm will be
just-another-realm, but when creating new realms they automatically trust
the master?
Best regards,
Thomas
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20160518/f7a8e820/attachment-0001.html
More information about the keycloak-dev
mailing list