[keycloak-user] Advice on setting up realms

[Chris Boot]

Hi folks,

I’ve been looking for an IdP solution for my employer for months and
have felt like I’ve been going round and round in circles, until I
finally gave Keycloak another try. It’s like a breath of fresh air! So
thanks folks.

Our Keycloak instance will be used to protect about a dozen
applications, things like our wiki, monitoring control panel, and so on.
We’ll have two different types of users who will need to use the IdP and
login to these applications: staff and partners.

Staff will need to login using LDAP federation and will be required to
use TOTP. They should not be able to use social providers to log in.
Staff will use their email address to login and all will use a single
RHS domain for their email addresses.

Partners will not have LDAP accounts, and should be able to opt-in to
use TOTP. They should ideally also be able to link social accounts (e.g.
Google or GitHub) to their existing records. Anyone not using our
corporate email domain, but who has an account, should be considered a
partner.

Some of our applications can only be configured with a single OIDC or
SAML provider, so Keycloak would need to handle both types of accounts
(e.g. staff / partner) from a single login interface.

I therefore have a few questions about how I might achieve such a setup:

- Can I make these two types of user coexist in a single realm, or do I
need to split it up?

- How can I enforce policies such as requiring TOTP for our staff?

- Can I prevent users from changing their email address and name in the
account console while still permitting password and authenticator changes?

Thanks in advance for any suggestions.

Cheers,
Chris

-- 
Chris Boot
bootc at boo.tc