[keycloak-dev] provisioning/bootstrapping/installing Keycloak

How will Keycloak be provisioned, bootstrapped, configured? How will Keycloak look the first time somebody uses it? This are the questions I need answers to. We discussed earlier that a SaaS for identity is probably not a good idea. For both security and performance reasons, Keycloak should not support multitenancy between multiple accounts. For a cloud environment, we will instead deploy Keycloak as a cartridge for a specific Openshift account. How this effects the current code-base is that there would be no SaaS login/registration pages. Another thing is, Stian correctly suggested that the admin UI and admin REST services should be deployed and secured by the token service as an Application under a realm. Both of these things effect the design of the admin UI as well as provisioning, installation, and bootstrapping Knowing this there are two routes we can take. Option #1: Multiple Realms per Keycloak Deployment (our current codebase) Option #2: One Realm per Keycloak Deployment Let's talk about Option #2 because I think it has the potential to make things really clean. From both a UI perspective and installation/bootstrapping perspective. * The admin UI would be simplified as you would not have to have buttons for creating realms or UI elements for switching between realms. Since we want realm adminstration to be secured by the realm itself, adding new realm admins is the same as managing any other user in the system. If we allowed multiple realms per keycloak deployment, then we would need the concept of a super user and separate UI elements for managing them. * Installation/packaging Keycloak becomes simpler in the non-cloud case. Keycloak would come pre-configured with a realm and a default admin user for that realm with a known password. You would just boot up Keycloak and try to login in. The admin user would force the user to enter in a new password before they started using Keycloak. * Provisioning on Openshift would also be simpler too, since the realm name could map to a DNS name. myrealm-user.rhcloud.com One realm per deployment doesn't mean that we would model it in the database that way. The data model would still support multi-tenancy which means you could share a database between Keycloak deployments. Thoughts? -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com