[keycloak-user] SSO for two groups of web applications?

Weijun Gao wgao at utsc.utoronto.ca
Fri Aug 17 08:55:44 EDT 2018 

Thank you Dmitry and Graham!

Using separate SSO realms  is good enough for my need. I'll check more 
about your posts and setting replications Dmitry.

Regards,

Weijun


On 8/16/2018 6:47 PM, Dmitry Telegin wrote:
> Hi Weijun,
>
> And what if the user first signs in a 1st group app, and then in a 2nd group? Should the user be able to access both groups now?
>
> If so: seems like you want two separate SSO realms for your application groups, but with the shared user data?
>
> Let's rephrase it; imagine that in your Keycloak:
> - there are two different realms, realmA and realmB;
> - apps from the 1st groups are configured as clients of realmA;
> - the same for the 2nd group and realmB;
> - users in both realms are the same;
> would that solve your problem?
>
> So it seems like you need some kind of proxy/slave/shadow realm, that
> would have its own client definitions, but will proxy to another realm
> for user data. I think this is not available OOTB, but could be
> implemented as a Keycloak extension using Realm SPI, however
> implementation can be really tricky.
>
> Another way to go is to set up ad-hoc partial replication between the realms. This is neither available OOTB, however implementation should be much simpler (at the price of data duplication, of course).
>
> Good news is that you're not alone with this; see Tuesday's posting from Gregor Tudan, the problem statement is almost the same (modulo the kind of data to be replicated, users vs. clients). I'll reply to that post a bit later, so stay tuned.
>
> Cheers,
> Dmitry Telegin
> CTO, Acutus s.r.o.
> Keycloak Consulting and Training
>
> Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
> +42 (022) 888-30-71
> E-mail: info at acutus.pro
>
> On Thu, 2018-08-16 at 15:20 -0400, Weijun Gao wrote:
>> Hi,
>>
>> Is it possible to authenticate users using *one* Keycloak server for
>> *two* groups of web applications. For example, if a user signs in a web
>> app in the 1st group, the user can access all the apps in the 1st group
>> but none in the 2nd group, vice versa. If it's possible, how? Or any
>> documentation?
>>
>> Thanks and regards,
>>
>> Weijun
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user

More information about the keycloak-user mailing list