Re: [keycloak-dev] Users and Realms

Hi, As you know, currently users belong to a realm and as such, you can't share them across different realms. We always had people looking for alternatives about how to solve this problem where all the available options have their pros and cons. I would like to see what you think about decoupling users from realms in a way that user federation and management are completely decoupled from realms so that users (or group of users) can be *associated* with realms. As an example, here is how you would configure users and realms in Keycloak: 1) Configure your identity stores/user federation from where users will be fetched. Or create users in Keycloak. 2) Assign to your users a label or a logical group. This assignment could be done manually or even automatically depending on: a) default group where all users are in b) the identity store from where users are fetched c) based on the user's email (domain) d) anything else that makes sense 3) Create a realm and specify which users should belong to a realm based on these labels or groups. A realm should be able to have users with different labels/groups. The realm definition/configuration would not change much as it stands today. Each of them would still have their own way of managing realm specific groups and roles. Regards. Pedro Igor _______________________________________________ keycloak-dev mailing list keycloak-dev(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-dev