We have a client web application which accepts requests from users in many different unrelated organizations. Two approaches I see are 1) to create a realm per organization, or 2) create a single realm with our application as client, and assign users to different groups based on their organization. If we go with approach 1, I'm not sure how we'd handle the client ID and secret for our web app. If we had multiple realms in Keycloak, each with one client for our web application, somehow the web application would need to know which Keycloak client to use for which user, which sounds complicated and maybe untenable. On the other hand, clients can't span realms, can they?

If we go with 2, one complication is administration--e.g., bulk logout. If all the users are in the same realm, it doesn't appear to me that there's a way in the admin console to logout all sessions of users belonging to one group, or to disable all users belonging to a group. Is that right?

It also doesn't look straightforward to get from the API all the users for a given group--you can get the groups a user is in, but I don't see a call that does the inverse. Is there a way we could do this?

Or is there an entirely different approach I'm not thinking of?

-- Aikeaguinea aikeaguinea(a)xsmail.com -- http://www.fastmail.com - Accessible with your email software or over the web _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user

Thanks very much Stian. It sounds like the best approach for us would be to have one realm per organization and to share clients across them. One realm per organization sounds like the use case for realms, and practically speaking it not only lets us do bulk operations on all users within a realm, but it also lets us have different combinations of clients for different organizations.

A few more questions, if I may: Is the example of multi tenancy you mention this one: https://github.com/keycloak/keycloak/tree/master/examples/multi-tenant ?

In that example there are multiple .json files, one for each tenant, and you mention doing the same thing with the admin API. The API call for creating a new client is a POST to /admin/realms/{realm}/clients . Does doing two POST calls with the same client ID to two different realms create the same client in both realms?

Can the same thing be achieved by creating the realms in the admin console and then creating the client with that ID within the realms?

If I create a client with client ID myapp in Realm 1, and then I go into Realm 2 and create a client with the same ID, will they automatically share the same client secret?

Also, if I'm in the admin console for Realm 1 and I look at the sessions for client myapp, I imagine I see only the sessions pertaining to users within the realm. Is that right?

Thanks for the help. I'll create a JIRA for search by group because it would be useful in any event. On Thu, Jul 14, 2016, at 03:40 AM, Stian Thorgersen wrote: On 13 July 2016 at 21:53, Aikeaguinea <aikeaguinea(a)xsmail.com&gt; wrote: We have a client web application which accepts requests from users in many different unrelated organizations. Two approaches I see are 1) to create a realm per organization, or 2) create a single realm with our application as client, and assign users to different groups based on their organization. If we go with approach 1, I'm not sure how we'd handle the client ID and secret for our web app. If we had multiple realms in Keycloak, each with one client for our web application, somehow the web application would need to know which Keycloak client to use for which user, which sounds complicated and maybe untenable. On the other hand, clients can't span realms, can they? Guess that depends on how many clients you are talking about. FIY we have a multi tenancy example that shows how you can have multiple configs for the same app. If we go with 2, one complication is administration--e.g., bulk logout. If all the users are in the same realm, it doesn't appear to me that there's a way in the admin console to logout all sessions of users belonging to one group, or to disable all users belonging to a group. Is that right? There's no option to do that yet, but we want to add support for bulk updates to users in the future. See https://issues.jboss.org/browse/KEYCLOAK-1413 It also doesn't look straightforward to get from the API all the users for a given group--you can get the groups a user is in, but I don't see a call that does the inverse. Is there a way we could do this? True - we don't support search by group. You can create a JIRA request for that. Or is there an entirely different approach I'm not thinking of? Not without a lot of customization. However, we do provide several SPIs that allow you to customize Keycloak to accommodate your needs. For example for option 1 you can use admin api to create clients which would allow you to create the client in all realms. For option 2 you could add a custom realm resource that allows logout or disabling all users with a specific group. -- Aikeaguinea aikeaguinea(a)xsmail.com -- http://www.fastmail.com - Accessible with your email software or over the web _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user -- Aikeaguinea aikeaguinea(a)xsmail.com -- http://www.fastmail.com - A fast, anti-spam email service.