[keycloak-user] Picketlink -> Keycloak
Keith Dev
keith.dev at pobox.com
Wed Jul 20 14:41:06 EDT 2016
I'm moving a web application with REST services from Picketlink to
Keycloak. This is a multi-tentant application (1k+ tenants) where single
user accounts can belong to multiple tenants. In Picketlink, this was
accomplished using Tiers. So there is a single realm, but one Tier per
tenant. Its not clear what the analog is in Keycloak.
We considered multiple realms, but both the number of tenants and the hard
requirement to allow a single user cross tenants seems to make this a
nonstarter.
The best idea we have so far is to have a single realm, but create
namespaced security artifacts: e.g. Tenant1.Admins. This is not ideal as we
were hoping for more separation between tenants. I did see this
<http://lists.jboss.org/pipermail/keycloak-dev/2013-July/000116.html> which
suggests that Picketlink Tiers equate to Resources, but its not clear how.
Certainly there does not seem to be any separation of security artifacts
within a Resource per se.
Advice?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160720/46233a94/attachment.html
More information about the keycloak-user
mailing list