[keycloak-user] Maintain 300 realms challenge

[Kevin Berendsen]

Hi community!

I've got a very interesting challenge and I'd like some your opinions. 

We've got to maintain countless separate LDAPs with identical schemas and configurations. The problem is, the users may have identical usernames in the separate LDAP instances so fusing every LDAP into one is not an option at the moment. Maybe in the future but not now.

So I came with a couple solutions:

1) Each LDAP will have its own realm so all the LDAPs keep isolated from each other. Each realm with have identical clients and general configuration. To tackle the issue to lower maintenance time is to develop a tool on the Keycloak Admin Client API to be able to make bulk updates on ALL the realms. As it's quite hard to track which realm has which change/update, I came up with the idea to create a single Realm that will act as a template and every time I update the Realm by adding a new Client for example, it'd perform the very same action on ALL other realms.

Pros: You can manage all realms as one and every LDAP stays isolated.
Cons: Huge load on the Keycloak (I think) and takes quite some time to develop the tool.

2) Create a single realm, have countless User Federations and the username will have a prefix (id of the User Federation). Then again, a tool will be developed to easily maintain the User Federations,

Pros: Single realm to maintain
Cons: I don't like the thought of having countless User Federations but I think that might be a misplaced feeling. 


So what do you guys thinks :)

For those whom reply, thanks in advance, your efforts will be appreciated!

Kind regards,

Fanatic Keycloak User
Kevin