<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On 13 July 2016 at 21:53, Aikeaguinea <span dir="ltr"><<a href="mailto:aikeaguinea@xsmail.com" target="_blank">aikeaguinea@xsmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">We have a client web application which accepts requests from users in<br>
many different unrelated organizations. Two approaches I see are 1) to<br>
create a realm per organization, or 2) create a single realm with our<br>
application as client, and assign users to different groups based on<br>
their organization.<br>
<br>
If we go with approach 1, I'm not sure how we'd handle the client ID and<br>
secret for our web app. If we had multiple realms in Keycloak, each with<br>
one client for our web application, somehow the web application would<br>
need to know which Keycloak client to use for which user, which sounds<br>
complicated and maybe untenable. On the other hand, clients can't span<br>
realms, can they? </blockquote><div><br></div><div>Guess that depends on how many clients you are talking about. FIY we have a multi tenancy example that shows how you can have multiple configs for the same app.</div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<br>
If we go with 2, one complication is administration--e.g., bulk logout.<br>
If all the users are in the same realm, it doesn't appear to me that<br>
there's a way in the admin console to logout all sessions of users<br>
belonging to one group, or to disable all users belonging to a group. Is<br>
that right?<br></blockquote><div><br></div><div>There's no option to do that yet, but we want to add support for bulk updates to users in the future. See <a href="https://issues.jboss.org/browse/KEYCLOAK-1413">https://issues.jboss.org/browse/KEYCLOAK-1413</a></div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<br>
It also doesn't look straightforward to get from the API all the users<br>
for a given group--you can get the groups a user is in, but I don't see<br>
a call that does the inverse. Is there a way we could do this?<br></blockquote><div><br></div><div>True - we don't support search by group. You can create a JIRA request for that.</div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<br>
Or is there an entirely different approach I'm not thinking of?<br></blockquote><div><br></div><div>Not without a lot of customization. However, we do provide several SPIs that allow you to customize Keycloak to accommodate your needs. </div><div><br></div><div>For example for option 1 you can use admin api to create clients which would allow you to create the client in all realms.</div><div><br></div><div>For option 2 you could add a custom realm resource that allows logout or disabling all users with a specific group.</div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<span class=""><font color="#888888"><br>
--<br>
Aikeaguinea<br>
<a href="mailto:aikeaguinea@xsmail.com">aikeaguinea@xsmail.com</a><br>
<br>
--<br>
<a href="http://www.fastmail.com" rel="noreferrer" target="_blank">http://www.fastmail.com</a> - Accessible with your email software<br>
or over the web<br>
<br>
_______________________________________________<br>
keycloak-user mailing list<br>
<a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>
</font></span></blockquote></div><br></div></div>