Having links between realms like this is not great. It shouldn't matter if two realms are on the same server or on different servers. In fact in a SaaS environment you should most likely not have many tenants on a single server and rather shard it.

It would also be a fairly tedious thing to implement. Realms would need some inheritance, then there's the admin console to worry about. At the moment there's not even a "shared" place for multiple realms, so no logical place to create/edit realm templates.

Another thing is that in the future we plan to remove master realm concept completely. Instead we'll have a trusted realm option that will use identity brokering behind the covers. The idea is that a single admin can manage multiple realms independently on what servers the realm are located on. This would mean that an admin in reality can only manage a single realm, but automatically authenticate to other realms to manage those as well without re-authentication. There would be no cross-realm permissions though, so no "master" realm admin that can manage realm templates. 

On 18 May 2016 at 11:14, Thomas Raehalme <thomas.raehalme@aitiofinland.com> wrote:
Hi!

I searched Jira and the mailing lists if realm templates have been discussed before, but didn't find anything. Apologies if I missed an already existing thread.

What would you think of adding support for realm templates? 

The idea would be similar to client templates. One could define common properties in a realm template and create concrete realms based on the template. Whenever any of the common properties need to be changed, it would only be necessary to make the changes on the template instead of changing individual realms separately. Changes to the template would propagate to realms automatically.

I would like to see at least realm settings and roles being defined on the template. Maybe also clients and groups. Identity providers would also be useful. Keys, certificates, users and various credentials would naturally be specific to each realm.

If possible it would be great if one could choose to override the settings in the template so that the template would only define default values. But if it complicates the implementation too much I'm sure the feature is just as useful without this possibility.

I think this would make the life of SaaS application developers with realm per tenant much easier as you would not need to write custom tools to automate change propagation to realms.

Could this be something for 2.0?

Best regards,
Thomas

_______________________________________________
keycloak-dev mailing list
keycloak-dev@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev