Is that really an issue?
Users would just be admin users, there would be a separate realm for AeroGear users.
And there'd probably be a single AeroGear console application, with a few associated
roles.
----- Original Message -----
From: "Bill Burke" <bburke(a)redhat.com>
To: "Stian Thorgersen" <stian(a)redhat.com>
Cc: keycloak-dev(a)lists.jboss.org
Sent: Thursday, 1 May, 2014 4:47:24 PM
Subject: Re: [keycloak-dev] management problems
On 5/1/2014 11:41 AM, Stian Thorgersen wrote:
>
>
> ----- Original Message -----
>> From: "Bill Burke" <bburke(a)redhat.com>
>> To: "Stian Thorgersen" <stian(a)redhat.com>
>> Cc: keycloak-dev(a)lists.jboss.org
>> Sent: Thursday, 1 May, 2014 4:37:39 PM
>> Subject: Re: [keycloak-dev] management problems
>>
>>
>>
>> On 5/1/2014 11:24 AM, Stian Thorgersen wrote:
>>>
>>>
>>> ----- Original Message -----
>>>> From: "Bill Burke" <bburke(a)redhat.com>
>>>> To: "Stian Thorgersen" <stian(a)redhat.com>
>>>> Cc: keycloak-dev(a)lists.jboss.org
>>>> Sent: Thursday, 1 May, 2014 4:19:26 PM
>>>> Subject: Re: [keycloak-dev] management problems
>>>>
>>>>
>>>>
>>>> On 5/1/2014 10:16 AM, Stian Thorgersen wrote:
>>>>>
>>>>>
>>>>> ----- Original Message -----
>>>>>> From: "Bill Burke" <bburke(a)redhat.com>
>>>>>> To: "Stian Thorgersen" <stian(a)redhat.com>
>>>>>> Cc: keycloak-dev(a)lists.jboss.org
>>>>>> Sent: Thursday, 1 May, 2014 3:11:48 PM
>>>>>> Subject: Re: [keycloak-dev] management problems
>>>>>>
>>>>>>
>>>>>>
>>>>>> On 5/1/2014 9:30 AM, Stian Thorgersen wrote:
>>>>>>> I'm wondering about what issues there are with having a
single shared
>>>>>>> admin
>>>>>>> realm though. That seems the optional solution to me.
>>>>>>>
>>>>>>
>>>>>> Isn't the issue multi-tenancy?
>>>>>
>>>>> We can grant admin users access to manage only specific realms
though?
>>>>>
>>>>> Or are you thinking multi-tenancy for AeroGear?
>>>>
>>>> What I mean is that you want to manage Aerogear in a realm on a server
>>>> that is multi-tenant (1 server managing multiple realms). Can't
really
>>>> have a single shared admin realm in that case.
>>>
>>> I'm still not following :/
>>>
>>> Can you spoon-feed me an example?
>>>
>>
>> Aerogear UPS admin needs to:
>>
>> * manage users
>> * manage role mappings
>> * manage oauth clients
>> * Manage aerogear specific things
>>
>> You want to have one login to do all those things. This means there
>> needs to be one realm to do all these things. You could re-use the
>> "keycloak-admin" realm, but re-using the "keycloak-admin"
realm doesn't
>> work if you're dealing with a Keycloak deployment that is managing
>> multiple realms. A.K.A. Multi-tenancy.
>
> The part I'm not understanding is why it doesn't work with a Keycloak
> deployment with multiple realms?
>
Because you're polluting the "keycloak-admin" realm with Aerogear
specific things: users, roles, applications, etc.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com