[keycloak-user] R: Need to log in to all realms with unique admin users

Mattia Bello Mattia.Bello at horsa.it
Mon Oct 29 05:56:38 EDT 2018


Dmitry, 
           the solution is acceptable. 

However, the documentation does not explain how to configure each non-master realm to do broker with master realm. 

Please, could you support me in the steps to be taken: 

1. Which identity provider should i choose? openID Connect or Keycloak OpenID Connect? 
2. How do I configure it? 
3. Where do I get information? (Authorization URL, token URL, ..)

Thank you.

Mattia Bello
Developer


Horsa S.p.A.
Via Cadorna, 67
Vimodrone (MI)
Mobile  (+39) 340 36 07 937
www.horsa.it

________________________________________
Da: Dmitry Telegin [dt at acutus.pro]
Inviato: venerdì 26 ottobre 2018 3.29
A: Mattia Bello; keycloak-user at lists.jboss.org
Oggetto: Re: [keycloak-user] Need to log in to all realms with unique admin users

Mattia,

Thanks for your explanation, the problem is clear now.

I think you can solve it with the help of identity brokering [1]. For each non-master realm, you will have to configure brokering to master. After that, a badge will appear on the login screen, and after clicking it your users will be able to authenticate with their master realm credentials.

If you're ok with this additional step, this could be an easy solution.

[1]  https://urlsand.esvalabs.com/?u=https%3A%2F%2Fwww.keycloak.org%2Fdocs%2Flatest%2Fserver_admin%2Findex.html%23_identity_broker&e=ab6f9afd&h=59fe2eca&f=n&p=y

Dmitry

On Thu, 2018-10-25 at 21:01 +0000, Mattia Bello wrote:
> Sorry,
> I probably did not explain well.
> I have a client application that is accessible from all realms.
> I would like with a realm master user to be able to access the client application of each realm, without creating users on each realm.
> I tried this but when I log in to the client application with the user created in the realm master the log in fails because it says that the user does not exist.
> Reading the documentation it is explained that the users created in the realm master are used to manage the realm as admin, so you can create new realm and users and groups within the various realms, but it is not specified that with this user you can access a client application defined in realms.
> Is it possible to access to clients of the various realms with the realm master users, without duplicating them in every realm, or not?
> Thank you
>
> Get Outlook for Android
>
>
>
>
> On Thu, Oct 25, 2018 at 10:07 PM +0200, "Dmitry Telegin" <dt at acutus.pro> wrote:
>
> > Hello Mattia, answers inline,
> >
> > On Thu, 2018-10-25 at 13:34 +0000, Mattia Bello wrote:
> > > We have this situation:
> > > 
> > > master realm -> used to manage other realms
> > > 
> > > realm1, realm2, realm3, .. -> are retailers and contain companies
> > > 
> > > for each realm we have group1, group2, group3, .. -> are companies and contain a group of users
> > > 
> > > we have to see all the retailers (realms), the companies (groups) and the users
> > > 
> > > How can I do it?
> > > 
> > > Can i create a master realm user and use it to access all the other realms?
> >
> > Yes you can. In fact, there is already such a user - it's admin that
> > you've created on the first run. If you want more users with such an
> > access in master realm, grant them "admin" realm role. If you look into
> > "admin" role details, you'll see that it automatically includes all the
> > client roles of *-realm clients, that's how it works under the hood.
> >
> > If you don't want to grant that powerful admin role, go to user -> Role
> > mappings and assign the necessary client roles from the *-realm
> > clients. The user will get access to the admin functions for that realm(s).
> >
> > > 
> > > Or i have to replicate the admin user in master realm into all other realm to use it to log in in that realm?
> >
> > This is possible too. Create a user in the target realm, go to Role
> > mappings and assign the necessary roles from the realm-management
> > client.
> >
> > Good luck,
> > Dmitry Telegin
> > CTO, Acutus s.r.o.
> > Keycloak Consulting and Training
> >
> > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
> > +42 (022) 888-30-71
> > E-mail: info at acutus.pro
> >
> > > 
> > > Thank to all
> > > 
> > > 
> > > 
> > > Mattia Bello
> > > Developer
> > > 
> > > > > > [Descrizione: cid:image001.jpg at 01CEB308.188717E0]
> > > Horsa S.p.A.
> > > Via Cadorna, 67
> > > Vimodrone (MI)
> > > Mobile  (+39) 340 36 07 937
> > >  https://urlsand.esvalabs.com/?u=http%3A%2F%2Fwww.horsa.it&e=ab6f9afd&h=772f26c6&f=n&p=y <https://urlsand.esvalabs.com/?u=http%3A%2F%2Fwww.horsa.it%2F&e=ab6f9afd&h=af419ba9&f=n&p=y>;
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user at lists.jboss.org
> > >  https://urlsand.esvalabs.com/?u=https%3A%2F%2Flists.jboss.org%2Fmailman%2Flistinfo%2Fkeycloak-user&e=ab6f9afd&h=a4102473&f=n&p=y
> >



More information about the keycloak-user mailing list