Re: [keycloak-user] SSO for two groups of web applications?
Thank you Dmitry and Graham!
Using separate SSO realms is good enough for my need. I'll check more
about your posts and setting replications Dmitry.
Regards,
Weijun
On 8/16/2018 6:47 PM, Dmitry Telegin wrote:
Hi Weijun,
And what if the user first signs in a 1st group app, and then in a 2nd group? Should the
user be able to access both groups now?
If so: seems like you want two separate SSO realms for your application groups, but with
the shared user data?
Let's rephrase it; imagine that in your Keycloak:
- there are two different realms, realmA and realmB;
- apps from the 1st groups are configured as clients of realmA;
- the same for the 2nd group and realmB;
- users in both realms are the same;
would that solve your problem?
So it seems like you need some kind of proxy/slave/shadow realm, that
would have its own client definitions, but will proxy to another realm
for user data. I think this is not available OOTB, but could be
implemented as a Keycloak extension using Realm SPI, however
implementation can be really tricky.
Another way to go is to set up ad-hoc partial replication between the realms. This is
neither available OOTB, however implementation should be much simpler (at the price of
data duplication, of course).
Good news is that you're not alone with this; see Tuesday's posting from Gregor
Tudan, the problem statement is almost the same (modulo the kind of data to be replicated,
users vs. clients). I'll reply to that post a bit later, so stay tuned.
Cheers,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training
Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info@acutus.pro
On Thu, 2018-08-16 at 15:20 -0400, Weijun Gao wrote:
> Hi,
>
> Is it possible to authenticate users using *one* Keycloak server for
> *two* groups of web applications. For example, if a user signs in a web
> app in the 1st group, the user can access all the apps in the 1st group
> but none in the 2nd group, vice versa. If it's possible, how? Or any
> documentation?
>
> Thanks and regards,
>
> Weijun
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user