3:29 a.m.
Mattia,
Thanks for your explanation, the problem is clear now.
I think you can solve it with the help of identity brokering [1]. For each non-master
realm, you will have to configure brokering to master. After that, a badge will appear on
the login screen, and after clicking it your users will be able to authenticate with their
master realm credentials.
If you're ok with this additional step, this could be an easy solution.
[1] https://www.keycloak.org/docs/latest/server_admin/index.html#_identity_br...
Dmitry
On Thu, 2018-10-25 at 21:01 +0000, Mattia Bello wrote:
Sorry,
I probably did not explain well.
I have a client application that is accessible from all realms.
I would like with a realm master user to be able to access the client application of each
realm, without creating users on each realm.
I tried this but when I log in to the client application with the user created in the
realm master the log in fails because it says that the user does not exist.
Reading the documentation it is explained that the users created in the realm master are
used to manage the realm as admin, so you can create new realm and users and groups within
the various realms, but it is not specified that with this user you can access a client
application defined in realms.
Is it possible to access to clients of the various realms with the realm master users,
without duplicating them in every realm, or not?
Thank you
Get Outlook for Android
On Thu, Oct 25, 2018 at 10:07 PM +0200, "Dmitry Telegin" <dt(a)acutus.pro>
wrote:
> Hello Mattia, answers inline,
>
> On Thu, 2018-10-25 at 13:34 +0000, Mattia Bello wrote:
> > We have this situation:
> >
> > master realm -> used to manage other realms
> >
> > realm1, realm2, realm3, .. -> are retailers and contain companies
> >
> > for each realm we have group1, group2, group3, .. -> are companies and
contain a group of users
> >
> > we have to see all the retailers (realms), the companies (groups) and the
users
> >
> > How can I do it?
> >
> > Can i create a master realm user and use it to access all the other realms?
>
> Yes you can. In fact, there is already such a user - it's admin that
> you've created on the first run. If you want more users with such an
> access in master realm, grant them "admin" realm role. If you look into
> "admin" role details, you'll see that it automatically includes all
the
> client roles of *-realm clients, that's how it works under the hood.
>
> If you don't want to grant that powerful admin role, go to user -> Role
> mappings and assign the necessary client roles from the *-realm
> clients. The user will get access to the admin functions for that realm(s).
>
> >
> > Or i have to replicate the admin user in master realm into all other realm to
use it to log in in that realm?
>
> This is possible too. Create a user in the target realm, go to Role
> mappings and assign the necessary roles from the realm-management
> client.
>
> Good luck,
> Dmitry Telegin
> CTO, Acutus s.r.o.
> Keycloak Consulting and Training
>
> Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
> +42 (022) 888-30-71
> E-mail: info(a)acutus.pro
>
> >
> > Thank to all
> >
> >
> >
> > Mattia Bello
> > Developer
> >
> > > > > [Descrizione: cid:image001.jpg@01CEB308.188717E0]
> > Horsa S.p.A.
> > Via Cadorna, 67
> > Vimodrone (MI)
> > Mobile (+39) 340 36 07 937
>
> https://urlsand.esvalabs.com/?u=http%3A%2F%2Fwww.horsa.it&e=ab6f9afd&h=772f26c6&f=n&p=y
<
https://urlsand.esvalabs.com/?u=http%3A%2F%2Fwww.horsa.it%2F&e=ab6f9a...
>;
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user(a)lists.jboss.org
>
> https://urlsand.esvalabs.com/?u=https%3A%2F%2Flists.jboss.org%2Fmailman%2Flistinfo%2Fkeycloak-user&e=ab6f9afd&h=a4102473&f=n&p=y
>