[keycloak-user] Multi-tenancy applications

Stian Thorgersen stian at redhat.com
Thu Apr 9 08:11:29 EDT 2015 


----- Original Message -----
> From: "Egor Kolesnikov" <egor.kolesnikov at fastlane-it.com>
> To: keycloak-user at lists.jboss.org
> Sent: Thursday, 9 April, 2015 4:58:12 AM
> Subject: [keycloak-user] Multi-tenancy applications
> 
> I've been using Keycloak for quite some time now on a couple of projects, and
> it's absolutely awesome - it just does the right thing, straight out of the
> box.
> 
> However, what I found quite confusing is the "Realm" definition which is
> missing from the documentation.
> I'm trying to add multi-tenancy support to our application and found it a bit
> confusing. It seems that Keycloak's approach to multitenancy is "Realm per
> tenant" - which makes sense, until it comes to realisation that the
> applications only exist within realms. This implies that if there are few
> hundreds of tenants (i.e. organisations using the application), the task of
> changing application config (i.e. adding application-level role or
> adding/removing redirect URL) becomes maintenance nightmare.
> 
> Is it at all possible to define a "global", not realm-confined application in
> Keycloak? Would it be hard to implement? Happy to put some effort into it
> and send a pull request.

It's not possible now and would require a lot of changes.

The best idea I can come up with is to use the admin endpoints to automate replicating the applications for multiple realms. Would be relatively easy to write something that uses the application in one realm as a reference and duplicates it to other realms.

> 
> A bit more context:
> - I have an webapp that serves multiple organisations.
> - Each organisation has its own users and admins (who can create users and
> other admins).
> - There is a "Super" administrator who creates organisations and admins.
> - Webapp can recognise the organisation based on Company ID or domain name.
> 
> Many thanks in advance.
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

More information about the keycloak-user mailing list