<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On 18 May 2016 at 15:07, Thomas Raehalme <span dir="ltr"><<a href="mailto:thomas.raehalme@aitiofinland.com" target="_blank">thomas.raehalme@aitiofinland.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote"><span class="">On Wed, May 18, 2016 at 3:59 PM, Stian Thorgersen <span dir="ltr"><<a href="mailto:sthorger@redhat.com" target="_blank">sthorger@redhat.com</a>></span> wrote:</span><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div class="gmail_extra"><div class="gmail_quote"><span><span class="">On 18 May 2016 at 14:52, Thomas Raehalme <span dir="ltr"><<a href="mailto:thomas.raehalme@aitiofinland.com" target="_blank">thomas.raehalme@aitiofinland.com</a>></span> wrote:</span><span class=""><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div class="gmail_extra"><div class="gmail_quote"><div>By sharding do you mean that the environment should have multiple independent Keycloak instances/clusters to which tenants are distributed?</div></div></div></div></blockquote><div><br></div></span></span><span class=""><div>Yes. At first our plan was to have a single Keycloak support multiple tenants in a SaaS environment. However, we decided that this level of tenants would be better achieved by having completely separate instances.</div></span></div></div></div></blockquote><div><br></div><div>Ok, thanks for the clarification. I don't think from a developer point of view it makes a big difference to have multiple instances if you're already working with multiple realms. My concern, however, is how to manage all those realms hence my original message. At the moment there is no tool to support that, or at least I am not aware of one.</div></div></div></div></blockquote><div><br></div><div>Fair point, but any solution would need to work with realms that are located on the same instance as well as on different instances.</div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div class="gmail_extra"><div class="gmail_quote"><span class=""><div><br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div class="gmail_extra"><div class="gmail_quote"><span><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div class="gmail_extra"><div class="gmail_quote"><span><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div>It would also be a fairly tedious thing to implement. Realms would need some inheritance, then there's the admin console to worry about. At the moment there's not even a "shared" place for multiple realms, so no logical place to create/edit realm templates.<br></div></div></blockquote><div><br></div></span><div>Oh I never presumed this would be easy task to do :-)</div></div></div></div></blockquote><div><br></div></span><div>I meant we're very unlikely to accept the feature due to the amount of complexity that would be involved. It also has very little benefit in the use-cases we've designed Keycloak for and wouldn't work when realms are located on separate instances which we expect would be the norm.</div></div></div></div></blockquote><div><br></div></span><div>One important use case in my opinion is the possibility to ensure that in a SaaS environment all realms contain the required data. If you, for example, add a new role in your SaaS application, you'll need to make sure the role is added to all realms (and assign it to users properly).</div></div></div></div></blockquote><div><br></div><div>You could do that through admin rest endpoints</div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div class="gmail_extra"><div class="gmail_quote"><span class=""><div><br></div><div><br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div class="gmail_extra"><div class="gmail_quote"><span><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div class="gmail_extra"><div class="gmail_quote"><span><div> Another thing is that in the future we plan to remove master realm concept completely. Instead we'll have a trusted realm option that will use identity brokering behind the covers. The idea is that a single admin can manage multiple realms independently on what servers the realm are located on. This would mean that an admin in reality can only manage a single realm, but automatically authenticate to other realms to manage those as well without re-authentication. There would be no cross-realm permissions though, so no "master" realm admin that can manage realm templates. </div><div><br></div></span><div>Do you mean that in the future the current master realm will be just-another-realm, but when creating new realms they automatically trust the master?</div></div></div></div></blockquote><div><br></div></span><div>There will be no special "master" realm at all. We've not fully figured out the bootstrapping of new realms. Rather than having a "master" realm it would be possible to link realms together which will enable cross-realm management. One key aspect of this is that not only will you be able to manage multiple realms within the Keycloak admin console, but you will also be able to authenticate to your own applications that exist in different realms.</div></div></div></div></blockquote><div><br></div></span><div>How is that different from the currently available keycloak-oidc identity provider?</div></div></div></div></blockquote><div><br></div><div>It would use keycloak-oidc identity provider behind the covers, but the bootstrapping would be a single click button. Rather than a button on login form we'd also hide the button and use idp_hint to automatically "login" to another realm.</div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div class="gmail_extra"><div class="gmail_quote"><div><br></div><div>Best regards,</div><div>Thomas</div><div></div></div>
</div></div>
</blockquote></div><br></div></div>