9:58 p.m.
I've been using Keycloak for quite some time now on a couple of projects,
and it's absolutely awesome - it just does the right thing, straight out of
the box.
However, what I found quite confusing is the "Realm" definition which is
missing from the documentation.
I'm trying to add multi-tenancy support to our application and found it a
bit confusing. It seems that Keycloak's approach to multitenancy is "Realm
per tenant" - which makes sense, until it comes to realisation that the
applications only exist within realms. This implies that if there are few
hundreds of tenants (i.e. organisations using the application), the task of
changing application config (i.e. adding application-level role or
adding/removing redirect URL) becomes maintenance nightmare.
Is it at all possible to define a "global", not realm-confined application
in Keycloak? Would it be hard to implement? Happy to put some effort into
it and send a pull request.
A bit more context:
- I have an webapp that serves multiple organisations.
- Each organisation has its own users and admins (who can create users and
other admins).
- There is a "Super" administrator who creates organisations and admins.
- Webapp can recognise the organisation based on Company ID or domain name.
Many thanks in advance.
7:11 a.m.
----- Original Message -----
From: "Egor Kolesnikov"
<egor.kolesnikov(a)fastlane-it.com>
To: keycloak-user(a)lists.jboss.org
Sent: Thursday, 9 April, 2015 4:58:12 AM
Subject: [keycloak-user] Multi-tenancy applications
I've been using Keycloak for quite some time now on a couple of projects, and
it's absolutely awesome - it just does the right thing, straight out of the
box.
However, what I found quite confusing is the "Realm" definition which is
missing from the documentation.
I'm trying to add multi-tenancy support to our application and found it a bit
confusing. It seems that Keycloak's approach to multitenancy is "Realm per
tenant" - which makes sense, until it comes to realisation that the
applications only exist within realms. This implies that if there are few
hundreds of tenants (i.e. organisations using the application), the task of
changing application config (i.e. adding application-level role or
adding/removing redirect URL) becomes maintenance nightmare.
Is it at all possible to define a "global", not realm-confined application in
Keycloak? Would it be hard to implement? Happy to put some effort into it
and send a pull request.
It's not possible now and would require a lot of changes.
The best idea I can come up with is to use the admin endpoints to automate replicating the
applications for multiple realms. Would be relatively easy to write something that uses
the application in one realm as a reference and duplicates it to other realms.
A bit more context:
- I have an webapp that serves multiple organisations.
- Each organisation has its own users and admins (who can create users and
other admins).
- There is a "Super" administrator who creates organisations and admins.
- Webapp can recognise the organisation based on Company ID or domain name.
Many thanks in advance.
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
7:32 a.m.
Hi Stan
Yes, that's what I thought - putting in some synchronisation smarts and
locking down applications within tenants' realms.
Is this even on the roadmap? If we take a look at, say, Google - they have
tenants (Google Apps for Business) who have their own domains, admins and
users, and they also have applications accessible by all users of all
tenants.
...on the other side, is it possible to use different approach and
implement "tenant ID" as a User attribute within the realm?
Cheers
Egor
On Thu, Apr 9, 2015 at 10:11 PM, Stian Thorgersen <stian(a)redhat.com> wrote:
----- Original Message -----
> From: "Egor Kolesnikov" <egor.kolesnikov(a)fastlane-it.com>
> To: keycloak-user(a)lists.jboss.org
> Sent: Thursday, 9 April, 2015 4:58:12 AM
> Subject: [keycloak-user] Multi-tenancy applications
>
> I've been using Keycloak for quite some time now on a couple of
projects, and
> it's absolutely awesome - it just does the right thing, straight out of
the
> box.
>
> However, what I found quite confusing is the "Realm" definition which is
> missing from the documentation.
> I'm trying to add multi-tenancy support to our application and found it
a bit
> confusing. It seems that Keycloak's approach to multitenancy is "Realm
per
> tenant" - which makes sense, until it comes to realisation that the
> applications only exist within realms. This implies that if there are few
> hundreds of tenants (i.e. organisations using the application), the task
of
> changing application config (i.e. adding application-level role or
> adding/removing redirect URL) becomes maintenance nightmare.
>
> Is it at all possible to define a "global", not realm-confined
application in
> Keycloak? Would it be hard to implement? Happy to put some effort into it
> and send a pull request.
It's not possible now and would require a lot of changes.
The best idea I can come up with is to use the admin endpoints to automate
replicating the applications for multiple realms. Would be relatively easy
to write something that uses the application in one realm as a reference
and duplicates it to other realms.
>
> A bit more context:
> - I have an webapp that serves multiple organisations.
> - Each organisation has its own users and admins (who can create users
and
> other admins).
> - There is a "Super" administrator who creates organisations and admins.
> - Webapp can recognise the organisation based on Company ID or domain
name.
>
> Many thanks in advance.
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
--
Egor Kolesnikov
Director
Fastlane Solutions Pty Ltd
m. +61(4) 6884 5909
7:37 a.m.
This is not something that we have on our road-map and even if we decided to add it would
be a long time until we'd get to.
However, as I suggested this is something you can implement yourself using the admin rest
api.
----- Original Message -----
From: "Egor Kolesnikov"
<egor.kolesnikov(a)fastlane-it.com>
To: "Stian Thorgersen" <stian(a)redhat.com>
Cc: keycloak-user(a)lists.jboss.org
Sent: Thursday, 9 April, 2015 2:32:47 PM
Subject: Re: [keycloak-user] Multi-tenancy applications
Hi Stan
Yes, that's what I thought - putting in some synchronisation smarts and
locking down applications within tenants' realms.
Is this even on the roadmap? If we take a look at, say, Google - they have
tenants (Google Apps for Business) who have their own domains, admins and
users, and they also have applications accessible by all users of all
tenants.
...on the other side, is it possible to use different approach and
implement "tenant ID" as a User attribute within the realm?
No, everything we have is very fixed to the concept of being contained within a specific
realm. Persistence, APIs, GUIs, etc are all built on that concept.
Cheers
Egor
On Thu, Apr 9, 2015 at 10:11 PM, Stian Thorgersen <stian(a)redhat.com> wrote:
>
>
> ----- Original Message -----
> > From: "Egor Kolesnikov" <egor.kolesnikov(a)fastlane-it.com>
> > To: keycloak-user(a)lists.jboss.org
> > Sent: Thursday, 9 April, 2015 4:58:12 AM
> > Subject: [keycloak-user] Multi-tenancy applications
> >
> > I've been using Keycloak for quite some time now on a couple of
> projects, and
> > it's absolutely awesome - it just does the right thing, straight out of
> the
> > box.
> >
> > However, what I found quite confusing is the "Realm" definition which
is
> > missing from the documentation.
> > I'm trying to add multi-tenancy support to our application and found it
> a bit
> > confusing. It seems that Keycloak's approach to multitenancy is
"Realm
> per
> > tenant" - which makes sense, until it comes to realisation that the
> > applications only exist within realms. This implies that if there are few
> > hundreds of tenants (i.e. organisations using the application), the task
> of
> > changing application config (i.e. adding application-level role or
> > adding/removing redirect URL) becomes maintenance nightmare.
> >
> > Is it at all possible to define a "global", not realm-confined
> application in
> > Keycloak? Would it be hard to implement? Happy to put some effort into it
> > and send a pull request.
>
> It's not possible now and would require a lot of changes.
>
> The best idea I can come up with is to use the admin endpoints to automate
> replicating the applications for multiple realms. Would be relatively easy
> to write something that uses the application in one realm as a reference
> and duplicates it to other realms.
>
> >
> > A bit more context:
> > - I have an webapp that serves multiple organisations.
> > - Each organisation has its own users and admins (who can create users
> and
> > other admins).
> > - There is a "Super" administrator who creates organisations and
admins.
> > - Webapp can recognise the organisation based on Company ID or domain
> name.
> >
> > Many thanks in advance.
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user(a)lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
--
Egor Kolesnikov
Director
Fastlane Solutions Pty Ltd
m. +61(4) 6884 5909
3562
days inactive
3562
days old
3 comments
2 participants
participants (2)
-
Egor Kolesnikov -
Stian Thorgersen