<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On 14 July 2016 at 18:41, Aikeaguinea <span dir="ltr"><<a href="mailto:aikeaguinea@xsmail.com" target="_blank">aikeaguinea@xsmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><u></u>
<div><div>Thanks very much Stian. It sounds like the best approach for us would be to have one realm per organization and to share clients across them. One realm per organization sounds like the use case for realms, and practically speaking it not only lets us do bulk operations on all users within a realm, but it also lets us have different combinations of clients for different organizations.<br></div></div></blockquote><div><br></div><div>One realm per organization is not directly the use case for realms. Realms are for when you want isolated config and users. In your case there are other things than clients you need to deal with as well. Realm settings, etc.. It's up to you if you want that isolation per-organization or not.</div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div></div>
<div> </div>
<div>A few more questions, if I may:</div>
<div> <br></div>
<div>Is the example of multi tenancy you mention this one: <a href="https://github.com/keycloak/keycloak/tree/master/examples/multi-tenant" target="_blank">https://github.com/keycloak/keycloak/tree/master/examples/multi-tenant</a> ?<br></div></div></blockquote><div><br></div><div>Yes</div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div></div>
<div> </div>
<div>In that example there are multiple .json files, one for each tenant, and you mention doing the same thing with the admin API. <br></div>
<div>The API call for creating a new client is a POST to /admin/realms/{realm}/clients . Does doing two POST calls with the same client ID to two different realms create the same client in both realms? <br></div></div></blockquote><div><br></div><div>You don't need multiple json files. You can create the configuration programatically as well based on a single json file by just swapping the realm name for the organization name for example.</div><div><br></div><div>Just remove the public key from the json file (as the adapter will download it from Keycloak if you don't specify it) and make sure the client-id and secret are the same. </div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div></div>
<div> </div>
<div>Can the same thing be achieved by creating the realms in the admin console and then creating the client with that ID within the realms?<br></div></div></blockquote><div><br></div><div>Admin console doesn't directly let you specify secret. If you import the client from a json file in the admin console then you can specify the secret.</div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div></div>
<div> </div>
<div>If I create a client with client ID myapp in Realm 1, and then I go into Realm 2 and create a client with the same ID, will they automatically share the same client secret? <br></div></div></blockquote><div><br></div><div>No, there is total isolation between realms.</div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div></div>
<div> </div>
<div>Also, if I'm in the admin console for Realm 1 and I look at the sessions for client myapp, I imagine I see only the sessions pertaining to users within the realm. Is that right?</div></div></blockquote><div><br></div><div>Yes</div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div>
<div> <br></div>
<div>Thanks for the help. I'll create a JIRA for search by group because it would be useful in any event.<br></div><div><div class="h5">
<div> <br></div>
<div> <br></div>
<div>On Thu, Jul 14, 2016, at 03:40 AM, Stian Thorgersen wrote:<br></div>
<blockquote type="cite"><div dir="ltr"><div> <br></div>
<div><div> <br></div>
<div><div>On 13 July 2016 at 21:53, Aikeaguinea <span dir="ltr"><<a href="mailto:aikeaguinea@xsmail.com" target="_blank">aikeaguinea@xsmail.com</a>></span> wrote:<br></div>
<blockquote style="margin-top:0px;margin-right:0px;margin-bottom:0px;margin-left:0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div>We have a client web application which accepts requests from users in<br></div>
<div>many different unrelated organizations. Two approaches I see are 1) to<br></div>
<div>create a realm per organization, or 2) create a single realm with our<br></div>
<div>application as client, and assign users to different groups based on<br></div>
<div>their organization.<br></div>
<div> <br></div>
<div>If we go with approach 1, I'm not sure how we'd handle the client ID and<br></div>
<div>secret for our web app. If we had multiple realms in Keycloak, each with<br></div>
<div>one client for our web application, somehow the web application would<br></div>
<div>need to know which Keycloak client to use for which user, which sounds<br></div>
<div>complicated and maybe untenable. On the other hand, clients can't span<br></div>
<div>realms, can they? <br></div>
</blockquote><div> <br></div>
<div>Guess that depends on how many clients you are talking about. FIY we have a multi tenancy example that shows how you can have multiple configs for the same app.<br></div>
<div> <br></div>
<blockquote style="margin-top:0px;margin-right:0px;margin-bottom:0px;margin-left:0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div> <br></div>
<div>If we go with 2, one complication is administration--e.g., bulk logout.<br></div>
<div>If all the users are in the same realm, it doesn't appear to me that<br></div>
<div>there's a way in the admin console to logout all sessions of users<br></div>
<div>belonging to one group, or to disable all users belonging to a group. Is<br></div>
<div>that right?<br></div>
</blockquote><div> <br></div>
<div>There's no option to do that yet, but we want to add support for bulk updates to users in the future. See <a href="https://issues.jboss.org/browse/KEYCLOAK-1413" target="_blank">https://issues.jboss.org/browse/KEYCLOAK-1413</a><br></div>
<div> <br></div>
<blockquote style="margin-top:0px;margin-right:0px;margin-bottom:0px;margin-left:0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div> <br></div>
<div>It also doesn't look straightforward to get from the API all the users<br></div>
<div>for a given group--you can get the groups a user is in, but I don't see<br></div>
<div>a call that does the inverse. Is there a way we could do this?<br></div>
</blockquote><div> <br></div>
<div>True - we don't support search by group. You can create a JIRA request for that.<br></div>
<div> <br></div>
<blockquote style="margin-top:0px;margin-right:0px;margin-bottom:0px;margin-left:0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div> <br></div>
<div>Or is there an entirely different approach I'm not thinking of?<br></div>
</blockquote><div> <br></div>
<div>Not without a lot of customization. However, we do provide several SPIs that allow you to customize Keycloak to accommodate your needs. <br></div>
<div> <br></div>
<div>For example for option 1 you can use admin api to create clients which would allow you to create the client in all realms.<br></div>
<div> <br></div>
<div>For option 2 you could add a custom realm resource that allows logout or disabling all users with a specific group.<br></div>
<div> <br></div>
<blockquote style="margin-top:0px;margin-right:0px;margin-bottom:0px;margin-left:0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><span><span style="color:rgb(136,136,136)"><br>--<br> Aikeaguinea<br> <a href="mailto:aikeaguinea@xsmail.com" target="_blank">aikeaguinea@xsmail.com</a><br> <br> --<br> <a href="http://www.fastmail.com" target="_blank">http://www.fastmail.com</a> - Accessible with your email software<br> or over the web<br> <br> _______________________________________________<br> keycloak-user mailing list<br> <a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a><br> <a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></span></span></blockquote></div>
</div>
</div>
</blockquote><div> <br></div>
<div><div>--<br></div>
<div> Aikeaguinea<br></div>
<div> <a href="mailto:aikeaguinea@xsmail.com" target="_blank">aikeaguinea@xsmail.com</a><br></div>
<div> <br></div>
</div>
<div> <br></div>
</div></div><span class="HOEnZb"><font color="#888888"><pre>--
<a href="http://www.fastmail.com" target="_blank">http://www.fastmail.com</a> - A fast, anti-spam email service.
</pre>
</font></span></div>
</blockquote></div><br></div></div>