[keycloak-user] [keycloak-dev] Keycloak 1.6.0.Final Released

Bill Burke bburke at redhat.com
Wed Oct 21 11:43:21 EDT 2015 


On 10/21/2015 9:53 AM, Patrick Andreas Näf wrote:
> Here i have a similar requirement for a saas application. Need to have a
> single login form for all users and when the user logs in, i have to
> descide to which tenant (and server) a user belongs. Then i do a
> redirect to the right server / tenant.
> It's the same way most saas applications works (one login screen, then
> you get redirected to the right server / application).
>
> If we want to have one single login form for all tenants, then we can
> only have the users in the same realm i think, because you must be sure
> that all the users are unique.
> But we also need a way to let a user log in into several tenants with
> the same user. For that i plan to add a role for every tenant. If a user
> has several such roles, he must choose to which tenant he wants to connect.
> The application makes sure only a user with the correct role can use a
> tenant.
>
> Maybe there is a better way to solve that?
>
> The best way to solve it would be to allow a user to be in more than one
> realm and support a way to test in which realms a user is. Then we can
> login the user and test the realm(s).
> But i think that wouldn't be possible because the hole design is
> different. Maybe a "super realm" is possible that is a container for
> such users?
>

We originally took this route with Keycloak.  The idea that Keycloak 
could be a SAAS...But we decided that the best way to deploy Keycloak in 
the cloud would be to create a cloud instance of Keycloak per 
organization.  In Red Hat OpenShift terms:  Keycloak would be a 
cartridge and the organization could opt to install it within their 
cloud account.

The reason for this is to isolate one paying customer from a different 
one.  You probably don't want them sharing database instances, IP 
addresses, etc.

If that is not possible, we can discuss other possibilities.  Right now 
though Realm is a completely isolated unit.  Users belong to one realm 
and one realm only.
-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

More information about the keycloak-user mailing list