Re: [keycloak-dev] Realm templates
On Wed, May 18, 2016 at 3:04 PM, Stian Thorgersen <sthorger(a)redhat.com>
wrote:
Having links between realms like this is not great. It shouldn't
matter if
two realms are on the same server or on different servers. In fact in a
SaaS environment you should most likely not have many tenants on a single
server and rather shard it.
By sharding do you mean that the environment should have multiple
independent Keycloak instances/clusters to which tenants are distributed?
It would also be a fairly tedious thing to implement. Realms would need
some inheritance, then there's the admin console to worry about.
At the
moment there's not even a "shared" place for multiple realms, so no
logical
place to create/edit realm templates.
Oh I never presumed this would be easy task to do :-)
Another thing is that in the future we plan to remove master realm
concept
completely. Instead we'll have a trusted realm option that will use
identity brokering behind the covers. The idea is that a single admin can
manage multiple realms independently on what servers the realm are located
on. This would mean that an admin in reality can only manage a single
realm, but automatically authenticate to other realms to manage those as
well without re-authentication. There would be no cross-realm permissions
though, so no "master" realm admin that can manage realm templates.
Do you mean that in the future the current master realm will be
just-another-realm, but when creating new realms they automatically trust
the master?
Best regards,
Thomas
Attachments:
- attachment.html (text/html — 2.3 KB)