[keycloak-user] Advice on setting up realms

Chris Boot lists at bootc.boo.tc
Mon Mar 25 09:16:04 EDT 2019 

Hi Olivier, Sebastien,

First of all sorry for the late response, your replies never made it to
me despite me being subscribed to the list. I only found them when
perusing the online archives.

Could you please CC me on replies?

On 21/03/2019 16:14, sblanc at redhat.com (Sebastien Blanc) wrote:
> On Thu, Mar 21, 2019 at 4:58 PM Olivier Rivat <orivat at janua.fr> wrote:
[snip]
>> 1) >  Can I make these two types of user coexist in a single realm, or
>> do I need to split it up?
>>
>> -Authentication is on a per realm basis
>> For authentication you configure a corresponding authentication flow, by
>> default for the entire realm.
>>
>> With 4.X and, 5.0, you can override the default authentification flow,
>> for specific client applications
>>
>> If you want 2 different ways to authenticate (staff with 2FA,
>> username/apssword + TOPTP ), and external with 1FA (username/password)
>> best is to have to different realms, withe one realm for staff an other
>> for external people
>>
> Unless staff and partner do not access the same clients, in this case you
> can override the auth flow as Olivier said before

Most of our apps will need logins from both types of user; a minority
will only accept logins from staff. Overriding the auth flow per client
doesn't seem like it will work for us. It looks like two realms is the
way to do this, then, which should be fine.

Now, bearing in mind that some of our applications can only authenticate
against one provider at a time, would you recommend having the
"partners" realm broker to the "staff" realm? Or would it be better to
have a third realm used only for such applications which then brokers to
both the "partners" and "staff" realms?

>> 3) > Can I prevent users from changing their email address and name in
>> the account console while still permitting password and authenticator
>> changes?
>> At first glance, there seems no specific tuning for this, unless writing
>> a specific custom plugin.
>> In the "required Actions" of your auth flow, "Update Profile" is enabled
>> by default , if you disable it they won't be able to change their profile
>> but still able to configure OTP and change their password.

I'll have to try this, thanks. Failing that, Stan's suggestions of
hacking the HTML in the account theme might be good enough for our purposes.

Thanks,
Chris

-- 
Chris Boot
bootc at boo.tc

More information about the keycloak-user mailing list