[keycloak-user] Different theme for each client

Stian Thorgersen sthorger at redhat.com
Fri Dec 18 03:47:15 EST 2015 

On 18 December 2015 at 09:44, Marek Posolda <mposolda at redhat.com> wrote:

> On 18/12/15 09:39, Stian Thorgersen wrote:
>
>
>
> On 18 December 2015 at 09:35, Marek Posolda <mposolda at redhat.com> wrote:
>
>> On 18/12/15 08:23, Stian Thorgersen wrote:
>>
>> The best solution to that is either the ability to share users between
>> realms or more likely the ability to define a SSO group within a realm.
>> Each SSO group would have independent SSO sessions and could also have
>> separate themes associated with it. It's not something we have resources
>> for right now though.
>>
>> I wonder if we can have something like
>> "different-realm-user-federation-provider" ? We had something like this in
>> the early days of Keycloak.
>>
>> For example, if you have 2 realms "blueRealm" and "greenRealm" . The
>> greenRealm will have defined federation provider, which will delegate
>> retrieving users to blueRealm. Then all applications configured against
>> greenRealm will see green login screen, but they will be able to
>> authenticate with users+passwords from blueRealm.
>>
>
> That's not very elegant at least not ATM as we would end up duplicating
> the users in the DB.
>
> Yeah. Once we address in-memory federation, it's going to be better
> though. Might be easier then introduce brand new concept of SSO groups
> within realm.
>

I think SSO groups would be useful. User federation doesn't allow sharing
anything besides users. You may for instance have a bunch of services and a
a few internal apps, but one external app. You'd like the external app to
be able to call services, but not be part of the internal SSO.


>
>
> Marek
>
>
>
>>
>> Marek
>>
>>
>>
>> Simply displaying a different theme per-client just doesn't make any
>> sense at all. Users log-in to a SSO realm, not an individual client. So I'm
>> against adding something like that unless we add the ability to log-in to
>> clients or groups of clients individually.
>>
>> On 18 December 2015 at 03:08, Raghuram Prabhala < <prabhalar at yahoo.com>
>> prabhalar at yahoo.com> wrote:
>>
>>> Pe
>>>
>>> It depends upon the application that the user accesses. We have several
>>> scenarios where the same set of users login to different applications in
>>> different divisions, some internet facing that have a totally different
>>> look from our intranet ones and it also depends upon whether the
>>> applications look for multi factor authentication as well.
>>>
>>> This is a very common scenario - We typically have different themes
>>> presented to the users based on what the client applications request
>>> (different themes can be requested utilizing different http parameters)
>>>
>>> Perhaps we can define different realms for different themes but it
>>> becomes very cumbersome
>>>
>>>
>>>
>>> ------------------------------
>>> *From:* Stian Thorgersen < <sthorger at redhat.com>sthorger at redhat.com>
>>> *To:* Raghuram Prabhala < <prabhalar at yahoo.com>prabhalar at yahoo.com>
>>> *Cc:* Revanth Ayalasomayajula < <revanth at arvindinternet.com>
>>> revanth at arvindinternet.com>; keycloak-user <
>>> <keycloak-user at lists.jboss.org>keycloak-user at lists.jboss.org>
>>> *Sent:* Thursday, December 17, 2015 9:28 AM
>>>
>>> *Subject:* Re: [keycloak-user] Different theme for each client
>>>
>>>
>>>
>>> On 17 December 2015 at 14:44, Raghuram Prabhala < <prabhalar at yahoo.com>
>>> prabhalar at yahoo.com> wrote:
>>>
>>> Stian - Even we have a similar requirement of having different themes,
>>> but for different divisions within the firm. Some of them have additional
>>> functionality of changing even the password. Can you suggest some way of
>>> achieving the above functionality considering that all the other
>>> functionality is the same for all divisions?
>>>
>>>
>>> Not actually sure what you mean here. It just doesn't make sense to show
>>> a user two login pages that look different (and possible have different
>>> things enabled/disable) if they use the same realm and SSO session.
>>>
>>>
>>>
>>> Thanks,
>>> Raghu
>>>
>>> ------------------------------
>>> *From:* Stian Thorgersen < <sthorger at redhat.com>sthorger at redhat.com>
>>> *To:* Revanth Ayalasomayajula < <revanth at arvindinternet.com>
>>> revanth at arvindinternet.com>
>>> *Cc:* keycloak-user < <keycloak-user at lists.jboss.org>
>>> keycloak-user at lists.jboss.org>
>>> *Sent:* Thursday, December 17, 2015 8:05 AM
>>> *Subject:* Re: [keycloak-user] Different theme for each client
>>>
>>> Having different clients login to the same SSO realm with different
>>> branded login pages just doesn't make sense. If we add the concept of a SSO
>>> domain/zone or something within a realm, where a group of clients have
>>> separate themes and SSO session that would make sense.
>>>
>>> On 15 December 2015 at 12:14, Revanth Ayalasomayajula <
>>> <revanth at arvindinternet.com>revanth at arvindinternet.com> wrote:
>>>
>>> +1 for this feature.
>>>>>>
>>> On Tue, Dec 15, 2015 at 4:39 PM, Helder dos S. Alves <
>>> <helder.jaspion at gmail.com>helder.jaspion at gmail.com> wrote:
>>>
>>> Hi.
>>>
>>> I need to have a different theme for each of the clients of a realm.
>>> If a user came from one client, I have to show a keycloak page with the
>>> logo and skin of that client.
>>> Is it possible with Keycloak? How?
>>>
>>> Thanks in advance.
>>>
>>>
>>> Helder S. Alves
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> <keycloak-user at lists.jboss.org>keycloak-user at lists.jboss.org
>>> <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>>
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> <keycloak-user at lists.jboss.org>keycloak-user at lists.jboss.org
>>> <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>>
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> <keycloak-user at lists.jboss.org>keycloak-user at lists.jboss.org
>>> <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>>
>>>
>>>
>>>
>>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151218/34c4fa38/attachment-0001.html

More information about the keycloak-user mailing list