<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p>This would need to be a community contribution. We (the
RHT/Keycloak open source devs) have too many things scheduled in
queue right now and I don't think there would be a lot of users
that would request this feature.<br>
</p>
<br>
<div class="moz-cite-prefix">On 5/18/16 9:19 AM, Stian Thorgersen
wrote:<br>
</div>
<blockquote
cite="mid:CAJgngAfQ8mdb8dFV89oLg94KUsdRx0sGM=h9-W6Jx6fC6ERNGg@mail.gmail.com"
type="cite">
<div dir="ltr"><br>
<div class="gmail_extra"><br>
<div class="gmail_quote">On 18 May 2016 at 15:07, Thomas
Raehalme <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:thomas.raehalme@aitiofinland.com"
target="_blank">thomas.raehalme@aitiofinland.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr"><br>
<div class="gmail_extra"><br>
<div class="gmail_quote"><span class="">On Wed, May
18, 2016 at 3:59 PM, Stian Thorgersen <span
dir="ltr"><<a moz-do-not-send="true"
href="mailto:sthorger@redhat.com"
target="_blank">sthorger@redhat.com</a>></span>
wrote:</span>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote"><span><span class="">On
18 May 2016 at 14:52, Thomas Raehalme <span
dir="ltr"><<a
moz-do-not-send="true"
href="mailto:thomas.raehalme@aitiofinland.com"
target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:thomas.raehalme@aitiofinland.com">thomas.raehalme@aitiofinland.com</a></a>></span>
wrote:</span><span class="">
<blockquote class="gmail_quote"
style="margin:0 0 0
.8ex;border-left:1px #ccc
solid;padding-left:1ex">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote">
<div>By sharding do you mean
that the environment should
have multiple independent
Keycloak instances/clusters to
which tenants are distributed?</div>
</div>
</div>
</div>
</blockquote>
<div><br>
</div>
</span></span><span class="">
<div>Yes. At first our plan was to have a
single Keycloak support multiple tenants
in a SaaS environment. However, we
decided that this level of tenants would
be better achieved by having completely
separate instances.</div>
</span></div>
</div>
</div>
</blockquote>
<div><br>
</div>
<div>Ok, thanks for the clarification. I don't think
from a developer point of view it makes a big
difference to have multiple instances if you're
already working with multiple realms. My concern,
however, is how to manage all those realms hence
my original message. At the moment there is no
tool to support that, or at least I am not aware
of one.</div>
</div>
</div>
</div>
</blockquote>
<div><br>
</div>
<div>Fair point, but any solution would need to work with
realms that are located on the same instance as well as on
different instances.</div>
<div> </div>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote"><span class="">
<div><br>
</div>
<blockquote class="gmail_quote" style="margin:0 0
0 .8ex;border-left:1px #ccc
solid;padding-left:1ex">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote"><span>
<blockquote class="gmail_quote"
style="margin:0 0 0
.8ex;border-left:1px #ccc
solid;padding-left:1ex">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote"><span>
<blockquote
class="gmail_quote"
style="margin:0 0 0
.8ex;border-left:1px #ccc
solid;padding-left:1ex">
<div dir="ltr">
<div>It would also be a
fairly tedious thing to
implement. Realms would
need some inheritance,
then there's the admin
console to worry about.
At the moment there's
not even a "shared"
place for multiple
realms, so no logical
place to create/edit
realm templates.<br>
</div>
</div>
</blockquote>
<div><br>
</div>
</span>
<div>Oh I never presumed this
would be easy task to do :-)</div>
</div>
</div>
</div>
</blockquote>
<div><br>
</div>
</span>
<div>I meant we're very unlikely to accept
the feature due to the amount of
complexity that would be involved. It
also has very little benefit in the
use-cases we've designed Keycloak for
and wouldn't work when realms are
located on separate instances which we
expect would be the norm.</div>
</div>
</div>
</div>
</blockquote>
<div><br>
</div>
</span>
<div>One important use case in my opinion is the
possibility to ensure that in a SaaS environment
all realms contain the required data. If you, for
example, add a new role in your SaaS application,
you'll need to make sure the role is added to all
realms (and assign it to users properly).</div>
</div>
</div>
</div>
</blockquote>
<div><br>
</div>
<div>You could do that through admin rest endpoints</div>
<div> </div>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote"><span class="">
<div><br>
</div>
<div><br>
</div>
<blockquote class="gmail_quote" style="margin:0 0
0 .8ex;border-left:1px #ccc
solid;padding-left:1ex">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote"><span>
<blockquote class="gmail_quote"
style="margin:0 0 0
.8ex;border-left:1px #ccc
solid;padding-left:1ex">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote"><span>
<div> Another thing is that in
the future we plan to remove
master realm concept
completely. Instead we'll
have a trusted realm option
that will use identity
brokering behind the covers.
The idea is that a single
admin can manage multiple
realms independently on what
servers the realm are
located on. This would mean
that an admin in reality can
only manage a single realm,
but automatically
authenticate to other realms
to manage those as well
without re-authentication.
There would be no
cross-realm permissions
though, so no "master" realm
admin that can manage realm
templates. </div>
<div><br>
</div>
</span>
<div>Do you mean that in the
future the current master
realm will be
just-another-realm, but when
creating new realms they
automatically trust the
master?</div>
</div>
</div>
</div>
</blockquote>
<div><br>
</div>
</span>
<div>There will be no special "master"
realm at all. We've not fully figured
out the bootstrapping of new realms.
Rather than having a "master" realm it
would be possible to link realms
together which will enable cross-realm
management. One key aspect of this is
that not only will you be able to manage
multiple realms within the Keycloak
admin console, but you will also be able
to authenticate to your own applications
that exist in different realms.</div>
</div>
</div>
</div>
</blockquote>
<div><br>
</div>
</span>
<div>How is that different from the currently
available keycloak-oidc identity provider?</div>
</div>
</div>
</div>
</blockquote>
<div><br>
</div>
<div>It would use keycloak-oidc identity provider behind the
covers, but the bootstrapping would be a single click
button. Rather than a button on login form we'd also hide
the button and use idp_hint to automatically "login" to
another realm.</div>
<div> </div>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote">
<div><br>
</div>
<div>Best regards,</div>
<div>Thomas</div>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
keycloak-dev mailing list
<a class="moz-txt-link-abbreviated" href="mailto:keycloak-dev@lists.jboss.org">keycloak-dev@lists.jboss.org</a>
<a class="moz-txt-link-freetext" href="https://lists.jboss.org/mailman/listinfo/keycloak-dev">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a></pre>
</blockquote>
<br>
</body>
</html>