[keycloak-user] Keycloack Multi -Tenancy question

Litom Segal litoms at liveperson.com
Wed Sep 25 01:46:33 EDT 2019 

Many thanks for the update. Are there any other best practices to handle
multi-tenancy use case, maybe a different solution than having one realm
per customer. I could not find any documentation/blogs on B2B->2c use case.
On Tue, Sep 24, 2019 at 4:57 PM Matteo Restelli <mrestelli at cuebiq.com>
wrote:

> Yeah, thank you Marek.
> For our use case we're using two tenants and we're already using the
> adapter, implementing the KeycloakConfigResolver interface.
> Our problem was when we've tried to use one tenant per client and when
> we've reached the 150 realms, during our tests.  After that, we decided to
> keep one realm for internal users and only one realm for customers.
>
> Thank you
> Matteo
>
> On Tue, Sep 24, 2019 at 3:48 PM Marek Posolda <mposolda at redhat.com> wrote:
>
>> On 24. 09. 19 15:15, Matteo Restelli wrote:
>>
>> For your interest.
>> We've evaluated internally the usage of many realms for customers and
>> we've encountered many issues, both on the frontend application (admin
>> console loading was really slow with 150-200 realms) and on the backend (in
>> the code there are places where it iterates between realms, loading a lot
>> of stuff). The cache helps, but i think that, for supporting multirealms,
>> there should be some refactoring / redesign of some components.
>> In addition, i think that some features like the sharing of a client
>> between realms (think of many tenants accessing the same single page
>> application, with the same client) need to be added.
>>
>> BTV. Not sure it helps with your use-case, but we have some multitenancy
>> on the adapter side too :
>> https://www.keycloak.org/docs/latest/securing_apps/index.html#_multi_tenancy
>> <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.keycloak.org_docs_latest_securing-5Fapps_index.html-23-5Fmulti-5Ftenancy&d=DwMFaQ&c=NxS7LVD4EucgUR9_G6bWzuqhmQ0xEJ2AZdqjz4WaSHU&r=FQRT-f5xvz2GUXQqjcUuVCt9GA7qnZNZLt5TNMtZnwA&m=m9fpmgYLIvAFptxlcJri3S-SgI7_0B-iUOwf_r0SwX8&s=ElgvTTe3XmOONPtZOwg0s5gQYYQUCXf9xiN08VGEtmk&e=>
>>
>> Marek
>>
>> The segregation of realms is a really cool feature, but could cause
>> problems in a multi realm scenario (maybe introducing, also, some
>> hierarchical relationships between realms could be useful).
>>
>> Have a nice day,
>> Matteo
>>
>> On Tue, Sep 24, 2019 at 2:45 PM Marek Posolda <mposolda at redhat.com>
>> wrote:
>>
>>> Hi,
>>>
>>> there is no change in this area. Big number of realms can be still an
>>> issue. We plan some refactoring of the storage layer in near future (1-2
>>> years as very rough estimate) and that should help to address the
>>> multitenancy use-case among other things.
>>>
>>> Marek
>>>
>>> On 23. 09. 19 9:14, Litom Segal wrote:
>>> > We are considering using Keycloack in a multi-tenant fashion.
>>> > Each of our customer's account has its own users, and applications
>>> > installed, and we also provide services API's consumed by various
>>> clients.
>>> > We will have a large number of tenants.
>>> > I found an open issue from 2017 that mentions that Keycloak may have
>>> some
>>> > scalability issues with a large number of realms.
>>> > https://issues.jboss.org/browse/KEYCLOAK-4593
>>> <https://urldefense.proofpoint.com/v2/url?u=https-3A__issues.jboss.org_browse_KEYCLOAK-2D4593&d=DwMFaQ&c=NxS7LVD4EucgUR9_G6bWzuqhmQ0xEJ2AZdqjz4WaSHU&r=FQRT-f5xvz2GUXQqjcUuVCt9GA7qnZNZLt5TNMtZnwA&m=m9fpmgYLIvAFptxlcJri3S-SgI7_0B-iUOwf_r0SwX8&s=WWLnytdcdwNuMP-xzONORB52DySu4ZE9mw-Ncw4Ep9Q&e=>
>>> >
>>> > And also this thread  from 2016,
>>> >
>>> https://lists.jboss.org/pipermail/keycloak-user/2016-October/008033.html
>>> <https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_pipermail_keycloak-2Duser_2016-2DOctober_008033.html&d=DwMFaQ&c=NxS7LVD4EucgUR9_G6bWzuqhmQ0xEJ2AZdqjz4WaSHU&r=FQRT-f5xvz2GUXQqjcUuVCt9GA7qnZNZLt5TNMtZnwA&m=m9fpmgYLIvAFptxlcJri3S-SgI7_0B-iUOwf_r0SwX8&s=sIrH3UXD5NANcURNUq3YejQ1BKEbLqzZyecoQ1RkaAs&e=>
>>> ,
>>> > that states that "Keycloak was not designed to support multi-tenancy
>>> > directly."..."In that regards we have never tested with high amounts of
>>> > realms as we expect there to be few realms (up to 10 most likely)."
>>> >
>>> > I was wonder if there was any progress on the multi-tenancy use case,
>>> and
>>> > are there any best practices on how to setup Keycloack to support it.
>>> >
>>> > On the other hand, is there any other approach to handle our use-case?
>>> > Thanks,
>>> > Litom
>>> >
>>>
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>> <https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mailman_listinfo_keycloak-2Duser&d=DwMFaQ&c=NxS7LVD4EucgUR9_G6bWzuqhmQ0xEJ2AZdqjz4WaSHU&r=FQRT-f5xvz2GUXQqjcUuVCt9GA7qnZNZLt5TNMtZnwA&m=m9fpmgYLIvAFptxlcJri3S-SgI7_0B-iUOwf_r0SwX8&s=KJY4aYRqkewMoegokw7uFaLl7FJ5XKmBHCRf51a6j5s&e=>
>>>
>>
>> Like
>> <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.facebook.com_cuebiq_&d=DwMFaQ&c=NxS7LVD4EucgUR9_G6bWzuqhmQ0xEJ2AZdqjz4WaSHU&r=FQRT-f5xvz2GUXQqjcUuVCt9GA7qnZNZLt5TNMtZnwA&m=m9fpmgYLIvAFptxlcJri3S-SgI7_0B-iUOwf_r0SwX8&s=itkfuaBGHDoOOLTqy5N27piKyzyY2W3mV_1c5qN3FtU&e=>
>> I Follow
>> <https://urldefense.proofpoint.com/v2/url?u=https-3A__twitter.com_Cuebiq&d=DwMFaQ&c=NxS7LVD4EucgUR9_G6bWzuqhmQ0xEJ2AZdqjz4WaSHU&r=FQRT-f5xvz2GUXQqjcUuVCt9GA7qnZNZLt5TNMtZnwA&m=m9fpmgYLIvAFptxlcJri3S-SgI7_0B-iUOwf_r0SwX8&s=H4QP8_rlfbUG08in9BAuvvBLVqZksEKOZQ-TFI1YhbY&e=>
>> I Connect
>> <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.linkedin.com_company_cuebiq&d=DwMFaQ&c=NxS7LVD4EucgUR9_G6bWzuqhmQ0xEJ2AZdqjz4WaSHU&r=FQRT-f5xvz2GUXQqjcUuVCt9GA7qnZNZLt5TNMtZnwA&m=m9fpmgYLIvAFptxlcJri3S-SgI7_0B-iUOwf_r0SwX8&s=kTvJY8Frc7niE3USoXmGRlCgOJanC_OgT4udskpYoAE&e=>
>>
>> This email is reserved exclusively for sending and receiving messages
>> inherent working activities, and is not intended nor authorized for
>> personal use. Therefore, any outgoing messages or incoming response
>> messages will be treated as company messages and will be subject to the
>> corporate IT policy and may possibly to be read by persons other than by
>> the subscriber of the box. Confidential information may be contained in
>> this message. If you are not the address indicated in this message, please
>> do not copy or deliver this message to anyone. In such case, you should
>> notify the sender immediately and delete the original message.
>>
>>
>>
> Like
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.facebook.com_cuebiq_&d=DwMFaQ&c=NxS7LVD4EucgUR9_G6bWzuqhmQ0xEJ2AZdqjz4WaSHU&r=FQRT-f5xvz2GUXQqjcUuVCt9GA7qnZNZLt5TNMtZnwA&m=m9fpmgYLIvAFptxlcJri3S-SgI7_0B-iUOwf_r0SwX8&s=itkfuaBGHDoOOLTqy5N27piKyzyY2W3mV_1c5qN3FtU&e=>
> I Follow
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__twitter.com_Cuebiq&d=DwMFaQ&c=NxS7LVD4EucgUR9_G6bWzuqhmQ0xEJ2AZdqjz4WaSHU&r=FQRT-f5xvz2GUXQqjcUuVCt9GA7qnZNZLt5TNMtZnwA&m=m9fpmgYLIvAFptxlcJri3S-SgI7_0B-iUOwf_r0SwX8&s=H4QP8_rlfbUG08in9BAuvvBLVqZksEKOZQ-TFI1YhbY&e=>
> I Connect
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.linkedin.com_company_cuebiq&d=DwMFaQ&c=NxS7LVD4EucgUR9_G6bWzuqhmQ0xEJ2AZdqjz4WaSHU&r=FQRT-f5xvz2GUXQqjcUuVCt9GA7qnZNZLt5TNMtZnwA&m=m9fpmgYLIvAFptxlcJri3S-SgI7_0B-iUOwf_r0SwX8&s=kTvJY8Frc7niE3USoXmGRlCgOJanC_OgT4udskpYoAE&e=>
>
> This email is reserved exclusively for sending and receiving messages
> inherent working activities, and is not intended nor authorized for
> personal use. Therefore, any outgoing messages or incoming response
> messages will be treated as company messages and will be subject to the
> corporate IT policy and may possibly to be read by persons other than by
> the subscriber of the box. Confidential information may be contained in
> this message. If you are not the address indicated in this message, please
> do not copy or deliver this message to anyone. In such case, you should
> notify the sender immediately and delete the original message.
>

-- 
This message may contain confidential and/or privileged information. 
If 
you are not the addressee or authorized to receive this on behalf of the 
addressee you must not use, copy, disclose or take action based on this 
message or any information herein. 
If you have received this message in 
error, please advise the sender immediately by reply email and delete this 
message. Thank you.

More information about the keycloak-user mailing list