On 18 May 2016 at 14:52, Thomas Raehalme <thomas.raehalme(a)aitiofinland.com>
wrote:
On Wed, May 18, 2016 at 3:04 PM, Stian Thorgersen <sthorger(a)redhat.com>
wrote:
> Having links between realms like this is not great. It shouldn't matter
> if two realms are on the same server or on different servers. In fact in a
> SaaS environment you should most likely not have many tenants on a single
> server and rather shard it.
>
By sharding do you mean that the environment should have multiple
independent Keycloak instances/clusters to which tenants are distributed?
Yes. At first our plan was to have a single Keycloak support multiple
tenants in a SaaS environment. However, we decided that this level of
tenants would be better achieved by having completely separate instances.
It would also be a fairly tedious thing to implement. Realms would need
> some inheritance, then there's the admin console to worry about. At the
> moment there's not even a "shared" place for multiple realms, so no
logical
> place to create/edit realm templates.
>
Oh I never presumed this would be easy task to do :-)
I meant we're very unlikely to accept the feature due to the amount of
complexity that would be involved. It also has very little benefit in the
use-cases we've designed Keycloak for and wouldn't work when realms are
located on separate instances which we expect would be the norm.
> Another thing is that in the future we plan to remove master realm
> concept completely. Instead we'll have a trusted realm option that will use
> identity brokering behind the covers. The idea is that a single admin can
> manage multiple realms independently on what servers the realm are located
> on. This would mean that an admin in reality can only manage a single
> realm, but automatically authenticate to other realms to manage those as
> well without re-authentication. There would be no cross-realm permissions
> though, so no "master" realm admin that can manage realm templates.
>
Do you mean that in the future the current master realm will be
just-another-realm, but when creating new realms they automatically trust
the master?
There will be no special "master" realm at all. We've not fully figured out
the bootstrapping of new realms. Rather than having a "master" realm it
would be possible to link realms together which will enable cross-realm
management. One key aspect of this is that not only will you be able to
manage multiple realms within the Keycloak admin console, but you will also
be able to authenticate to your own applications that exist in different
realms.
Best regards,
Thomas