[keycloak-user] Multi-org salesforce with single realm keycloak

Jesse Chahal jessec at stytch.com
Wed Jun 8 20:05:11 EDT 2016 

Hi,

I'm back again. I'm trying to figure out how scale Identity Providers.
We are planning on trying to integrate our App1 with salesforce. A
user who logs into salesforce should be able to have a native feel of
our App1 within it. Todo this we'll probably have to end up building
salesforce native apps. For every salesforce organization/licensee we
will have to register an Identity provider with keycloak to make sure
they can correctly use App1. Some configuration options we came up
with are listed below. Has anyone else solved a similar problem?

OPTION 1
########################################################
# Keycloak
                              #
# ---> master realm
                          #
# ---> realm 1
                              #
# --- ---> app1_client (open ID)
                     #
# --- ---> salesforce_org1_saml2.0_identity_provider                          #
# --- ---> salesforce_org2_saml2.0_identity_provider                          #
#
                                     #
# Salesforce
                              #
# ---> org1
                                #
# ---- ----> salesforce_appX (uses App1)
              #
# ---> org 2
                                #
# ---- ----> salesforce_appX (uses App1)
              #
# ---- ----> salesforce_appY (uses App1)
              #
# .....
                                     #
#
                                     #
# App 1
                                 #
# ---> OpenID to realm1 (using adapter)
              #
########################################################
benefits
- single login page
- single realm
cons
- login page with infinite number of identity provider buttons present


OPTION 2
########################################################
# Keycloak
                              #
# ---> master realm
                          #
# ---> realm 1
                              #
# --- ---> app1_client (open ID)
                     #
# --- ---> salesforce_org1_saml2.0_identity_provider                          #
# ---> realm 2
                              #
# --- ---> app1_client (open ID)
                     #
# --- ---> salesforce_org2_saml2.0_identity_provider                          #
#
                                     #
# Salesforce
                              #
# ---> org1
                                #
# ---- ----> salesforce_appX (uses App1)
              #
# ---> org 2
                                #
# ---- ----> salesforce_appX (uses App1)
              #
# ---- ----> salesforce_appY (uses App1)
              #
# .....
                                     #
#
                                     #
# App 1
                                 #
# ---> OpenID to realm1, realm2, realm#.... (using adapter)                #
########################################################
benefits
- single salesforce button per login page
- users are more isolated in single realm
cons
- very hard to get App1 to support multiple realms (no adapter or
keycloak support)

More information about the keycloak-user mailing list