[keycloak-user] One client application, users in many organizations
sthorger at redhat.com
Thu Jul 14 03:40:54 EDT 2016
On 13 July 2016 at 21:53, Aikeaguinea <aikeaguinea at xsmail.com> wrote:
> We have a client web application which accepts requests from users in
> many different unrelated organizations. Two approaches I see are 1) to
> create a realm per organization, or 2) create a single realm with our
> application as client, and assign users to different groups based on
> their organization.
> If we go with approach 1, I'm not sure how we'd handle the client ID and
> secret for our web app. If we had multiple realms in Keycloak, each with
> one client for our web application, somehow the web application would
> need to know which Keycloak client to use for which user, which sounds
> complicated and maybe untenable. On the other hand, clients can't span
> realms, can they?
Guess that depends on how many clients you are talking about. FIY we have a
multi tenancy example that shows how you can have multiple configs for the
> If we go with 2, one complication is administration--e.g., bulk logout.
> If all the users are in the same realm, it doesn't appear to me that
> there's a way in the admin console to logout all sessions of users
> belonging to one group, or to disable all users belonging to a group. Is
> that right?
There's no option to do that yet, but we want to add support for bulk
updates to users in the future. See
> It also doesn't look straightforward to get from the API all the users
> for a given group--you can get the groups a user is in, but I don't see
> a call that does the inverse. Is there a way we could do this?
True - we don't support search by group. You can create a JIRA request for
> Or is there an entirely different approach I'm not thinking of?
Not without a lot of customization. However, we do provide several SPIs
that allow you to customize Keycloak to accommodate your needs.
For example for option 1 you can use admin api to create clients which
would allow you to create the client in all realms.
For option 2 you could add a custom realm resource that allows logout or
disabling all users with a specific group.
> aikeaguinea at xsmail.com
> http://www.fastmail.com - Accessible with your email software
> or over the web
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the keycloak-user