On Wed, May 18, 2016 at 3:04 PM, Stian Thorgersen <sthorger@redhat.com> wrote:

Having links between realms like this is not great. It shouldn't matter if two realms are on the same server or on different servers. In fact in a SaaS environment you should most likely not have many tenants on a single server and rather shard it.

By sharding do you mean that the environment should have multiple independent Keycloak instances/clusters to which tenants are distributed?

It would also be a fairly tedious thing to implement. Realms would need some inheritance, then there's the admin console to worry about. At the moment there's not even a "shared" place for multiple realms, so no logical place to create/edit realm templates.

Oh I never presumed this would be easy task to do :-)

Another thing is that in the future we plan to remove master realm concept completely. Instead we'll have a trusted realm option that will use identity brokering behind the covers. The idea is that a single admin can manage multiple realms independently on what servers the realm are located on. This would mean that an admin in reality can only manage a single realm, but automatically authenticate to other realms to manage those as well without re-authentication. There would be no cross-realm permissions though, so no "master" realm admin that can manage realm templates.

Do you mean that in the future the current master realm will be just-another-realm, but when creating new realms they automatically trust the master?

Best regards,

Thomas