7:04 a.m.
Having links between realms like this is not great. It shouldn't matter if
two realms are on the same server or on different servers. In fact in a
SaaS environment you should most likely not have many tenants on a single
server and rather shard it.
It would also be a fairly tedious thing to implement. Realms would need
some inheritance, then there's the admin console to worry about. At the
moment there's not even a "shared" place for multiple realms, so no logical
place to create/edit realm templates.
Another thing is that in the future we plan to remove master realm concept
completely. Instead we'll have a trusted realm option that will use
identity brokering behind the covers. The idea is that a single admin can
manage multiple realms independently on what servers the realm are located
on. This would mean that an admin in reality can only manage a single
realm, but automatically authenticate to other realms to manage those as
well without re-authentication. There would be no cross-realm permissions
though, so no "master" realm admin that can manage realm templates.
On 18 May 2016 at 11:14, Thomas Raehalme <thomas.raehalme(a)aitiofinland.com>
wrote:
Hi!
I searched Jira and the mailing lists if realm templates have been
discussed before, but didn't find anything. Apologies if I missed an
already existing thread.
What would you think of adding support for realm templates?
The idea would be similar to client templates. One could define common
properties in a realm template and create concrete realms based on the
template. Whenever any of the common properties need to be changed, it
would only be necessary to make the changes on the template instead of
changing individual realms separately. Changes to the template would
propagate to realms automatically.
I would like to see at least realm settings and roles being defined on the
template. Maybe also clients and groups. Identity providers would also be
useful. Keys, certificates, users and various credentials would naturally
be specific to each realm.
If possible it would be great if one could choose to override the settings
in the template so that the template would only define default values. But
if it complicates the implementation too much I'm sure the feature is just
as useful without this possibility.
I think this would make the life of SaaS application developers with realm
per tenant much easier as you would not need to write custom tools to
automate change propagation to realms.
Could this be something for 2.0?
Best regards,
Thomas
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev