Here i have a similar requirement for a saas application. Need to have a
single login form for all users and when the user logs in, i have to
descide to which tenant (and server) a user belongs. Then i do a
redirect to the right server / tenant.
It's the same way most saas applications works (one login screen, then
you get redirected to the right server / application).
If we want to have one single login form for all tenants, then we can
only have the users in the same realm i think, because you must be sure
that all the users are unique.
But we also need a way to let a user log in into several tenants with
the same user. For that i plan to add a role for every tenant. If a user
has several such roles, he must choose to which tenant he wants to connect.
The application makes sure only a user with the correct role can use a
tenant.
Maybe there is a better way to solve that?
The best way to solve it would be to allow a user to be in more than one
realm and support a way to test in which realms a user is. Then we can
login the user and test the realm(s).
But i think that wouldn't be possible because the hole design is
different. Maybe a "super realm" is possible that is a container for
such users?
Best regards,
Patrick
Am 21.10.2015 um 14:46 schrieb Stian Thorgersen:
I think the first question to ask is do you want to share users and
config between tenants? If you do you should have a single realm, if
not you should have separate realms.
On 21 October 2015 at 14:38, Thomas Raehalme
<thomas.raehalme(a)aitiofinland.com
<mailto:thomas.raehalme@aitiofinland.com>> wrote:
On Tue, Oct 20, 2015 at 8:20 PM, Stian Thorgersen
<sthorger(a)redhat.com <mailto:sthorger@redhat.com>> wrote:
Thousands should be no problem at all. Tens of thousands
should be ok, but we'd have to test that. I guess you're
building a public api or something since you're expecting that
many clients?
I have been thinking of various ways to utilize Keycloak in a SaaS
application. A separate realm per tenant is probably the most
natural option, but how about using a single realm with individual
clients for each tenant, would that make any sense? I think it
would have its advantages (eg. the SaaS service provider could use
a single account to access any tenant, and tenants could register
themselves as clients when being deployed?).
Best regards,
Thomas
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
--
Näf ITCom AG
Patrick Andreas Näf
CEO / Owner
MSc ETH Inf.-Ing.
Höhenweg 7
4917 Melchnau
web:
www.naef-itcom.ch