Hi Bill,

what I was thinking of was tenants as nested element within a realm.

We'd like to be able to add tenants at runtime. That's where I see a problem with multi-realm support, since realms are "hardcoded" in the keycloak.json. So if you add a realm in the admin-console, with multi-realm support you'd still have to modify the deployed WAR by adding the new realm to the keycloak.json file.

I was thinking of a structure like this:

|- realm

| |-users

| |-realm-level-user-1

| |-...

|-tenants

| |-tenant-1

| | |-users

| | | |-tenant-level-user-1

| | | |-...

Let me know what you think!

Cheers,

Nils

On Thu, May 29, 2014 at 11:04 PM, Bill Burke <bburke@redhat.com> wrote:

Somebody else was asking for this feature. We may have to add it beta 2
even though I wanted to have a feature freeze.

How did you expect it to work? One guy wanted to discover realm per
request via parsing the URL. Another guy just wanted multi-realm
support for bearer-only services.

On 5/29/2014 4:54 PM, Nils Preusker wrote:
> Hi,
>
> first of all, congrats on the beta 1 release!
>
> Here's my question: I have a WAR with a REST API that I'm securing with
> Keycloak. Now I'd like to add multitenancy support.
>
> If I understand the concept in keycloak correctly, I would somehow have
> to have several realms in the keycloak.json and the web.xml of the war,
> right? However there is just one realm-name attribute in the web.xml and
> the structure of keycloak.json also looks like it is intended for one
> realm. Am I missing something?
>
> Cheers,
> Nils
>
>
>
>

> _______________________________________________
> keycloak-user mailing list
> keycloak-user@lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user