[keycloak-user] SSO for two groups of web applications?

Dmitry Telegin dt at acutus.pro
Thu Aug 16 18:47:16 EDT 2018


Hi Weijun,

And what if the user first signs in a 1st group app, and then in a 2nd group? Should the user be able to access both groups now?

If so: seems like you want two separate SSO realms for your application groups, but with the shared user data?

Let's rephrase it; imagine that in your Keycloak:
- there are two different realms, realmA and realmB;
- apps from the 1st groups are configured as clients of realmA;
- the same for the 2nd group and realmB;
- users in both realms are the same;
would that solve your problem?

So it seems like you need some kind of proxy/slave/shadow realm, that
would have its own client definitions, but will proxy to another realm
for user data. I think this is not available OOTB, but could be
implemented as a Keycloak extension using Realm SPI, however
implementation can be really tricky.

Another way to go is to set up ad-hoc partial replication between the realms. This is neither available OOTB, however implementation should be much simpler (at the price of data duplication, of course).

Good news is that you're not alone with this; see Tuesday's posting from Gregor Tudan, the problem statement is almost the same (modulo the kind of data to be replicated, users vs. clients). I'll reply to that post a bit later, so stay tuned.

Cheers,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training

Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info at acutus.pro

On Thu, 2018-08-16 at 15:20 -0400, Weijun Gao wrote:
> Hi,
> 
> Is it possible to authenticate users using *one* Keycloak server for 
> *two* groups of web applications. For example, if a user signs in a web 
> app in the 1st group, the user can access all the apps in the 1st group 
> but none in the 2nd group, vice versa. If it's possible, how? Or any 
> documentation?
> 
> Thanks and regards,
> 
> Weijun
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


More information about the keycloak-user mailing list