[keycloak-user] One client application, users in many organizations
Aikeaguinea
aikeaguinea at xsmail.com
Wed Jul 13 15:53:28 EDT 2016
We have a client web application which accepts requests from users in
many different unrelated organizations. Two approaches I see are 1) to
create a realm per organization, or 2) create a single realm with our
application as client, and assign users to different groups based on
their organization.
If we go with approach 1, I'm not sure how we'd handle the client ID and
secret for our web app. If we had multiple realms in Keycloak, each with
one client for our web application, somehow the web application would
need to know which Keycloak client to use for which user, which sounds
complicated and maybe untenable. On the other hand, clients can't span
realms, can they?
If we go with 2, one complication is administration--e.g., bulk logout.
If all the users are in the same realm, it doesn't appear to me that
there's a way in the admin console to logout all sessions of users
belonging to one group, or to disable all users belonging to a group. Is
that right?
It also doesn't look straightforward to get from the API all the users
for a given group--you can get the groups a user is in, but I don't see
a call that does the inverse. Is there a way we could do this?
Or is there an entirely different approach I'm not thinking of?
--
Aikeaguinea
aikeaguinea at xsmail.com
--
http://www.fastmail.com - Accessible with your email software
or over the web
More information about the keycloak-user
mailing list