[keycloak-user] Delegated User Self-Administration

[Michael Poettgen]

Has anyone done delegated user administration with larger numbers of organizations?

Thanks,
Michael

From: Michael Poettgen
Sent: Monday, August 7, 2017 5:14 PM
To: 'keycloak-user at lists.jboss.org'
Subject: Delegated User Self-Administration

Hello Everyone,

I've got questions on how to properly do delegated user self-administration with Keycloak.

Some background information:

*         We are working with hundreds or even thousands of organizations for which we want to manage access to our applications.

*         Some of these organizations are our internal divisions for which we have active directories. Users from these organizations can be integrated through "User Storage Federation" and they will continue to be maintained in the respective directories.

*         Some of these organizations are part of larger organizations which have proper identity providers. Users from these organizations can be integrated through "Identity Brokering" and they will continue to be maintained in the respective identity providers.

*         For the remaining external organizations (and there are a lot of them) we would have to maintain user accounts ourselves and we would like to delegate that maintenance work to a designated user self-administrator within the external organization.

*         A user self-administrator should be able to view, create, lock and unlock user accounts within the same organization.

*         Optionally a user self-administrator should be able to grant or revoke access to particular (sets of) applications for the users he is allowed to administer.

I do understand that this could probably be achieved through separate realms and "Dedicated Realm Admin Consoles", but as far as I understand these realms would be entirely separate. This would mean that we would have to set up clients hundreds of times for each of the organizations. We would have to figure out how to direct each user to the proper realm for authentication and each organization would have its own login page.


*         Does Keycloak have something like the notion of "sub-realms" where a user can authenticate against a realm, if there is a corresponding user account in the realm itself or in one of the sub-realms?

*         It is probably possible to use the "User Storage SPI" to write a custom User Storage Federation Provider, but does that make sense? Would it perform well?

*         Another option would probably be to write a custom User Self-Administration application using the "Admin REST API". (Unfortunately there is not even an API to retrieve users filtered by anything other than base properties, so the application could end up retrieving thousands of user accounts to find five accounts belonging to a particular organization.)

*         The third option would be to customize Keycloak itself, but we are no Java experts, so is this advisable?

*         Has anyone implemented a scenario like this with Keycloak?

*         Does anyone know whether there are any plans to extend Keycloak to better support a scenario like this?

Thanks,
Michael




This message is for the designated recipient only and may contain privileged or confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the email by you is prohibited.