7:46 a.m.
Hi list,
I have a question about the creation of the realms in Keycloak.
It may be SSO-101 but I can't figure the right answer.
As I understand it, a realm is a collection of clients sharing the same policies.
A user logged from one client in a realm will be authenticated in all other clients in the
same realm.
Say I have 3 apps AppA, AppB and AppC.
I want a user to be SSO'ed with AppA and AppB (not AppC).
I also want a user to be SSO'ed with AppB and AppC (not AppA).
I guess I need a realm covering AppA and AppB and another realm covering AppB and AppC.
However, most (if not all) clients I've seen only allow one IDP definition thus
forbids AppB to know both realms.
How to solve this ?
Regards,
Ionel
--
232 avenue Napoleon BONAPARTE 92500 RUEIL MALMAISON
Capital EUR 219 300,00 - RCS Nanterre B 408 832 301 - TVA FR 09 408 832 301
7:59 a.m.
Well, it is an ABAC (attribute-based access control) system. You can use a
single realm and add an attribute let’s say X with value Y that is
requested by AppA and AppB. Then, you add this attribute to all users that
need access to AppA and AppB. The same for your case of AppB and AppC.
Also, bear in mind OpenID Connect and SAML are not just single sign-on
tools. They are federated systems protocols. In a federation, you can have
multiple SP and IdP. There is nothing that forbids SPs to work with
multiple IdPs.
On Mon, Aug 13, 2018 at 9:46 AM, GARDAIS Ionel <
ionel.gardais(a)tech-advantage.com> wrote:
Hi list,
I have a question about the creation of the realms in Keycloak.
It may be SSO-101 but I can't figure the right answer.
As I understand it, a realm is a collection of clients sharing the same
policies.
A user logged from one client in a realm will be authenticated in all
other clients in the same realm.
Say I have 3 apps AppA, AppB and AppC.
I want a user to be SSO'ed with AppA and AppB (not AppC).
I also want a user to be SSO'ed with AppB and AppC (not AppA).
I guess I need a realm covering AppA and AppB and another realm covering
AppB and AppC.
However, most (if not all) clients I've seen only allow one IDP definition
thus forbids AppB to know both realms.
How to solve this ?
Regards,
Ionel
--
232 avenue Napoleon BONAPARTE 92500 RUEIL MALMAISON
Capital EUR 219 300,00 - RCS Nanterre B 408 832 301 - TVA FR 09 408 832 301
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
--
Rafael Weingärtner
8:19 a.m.
Thanks for your reply, Rafael.
What are realms for if this can be solved with a single-realm and ABAC ?
When are realms a better option to consider over ABAC ?
De: "Rafael Weingärtner" <rafaelweingartner(a)gmail.com>
À: "Ionel GARDAIS" <ionel.gardais(a)tech-advantage.com>
Cc: "keycloak-user" <keycloak-user(a)lists.jboss.org>
Envoyé: Lundi 13 Août 2018 14:59:43
Objet: Re: [keycloak-user] [Conception] how to define a suitable realm
Well, it is an ABAC (attribute-based access control) system. You can use a single realm
and add an attribute let’s say X with value Y that is requested by AppA and AppB. Then,
you add this attribute to all users that need access to AppA and AppB. The same for your
case of AppB and AppC.
Also, bear in mind OpenID Connect and SAML are not just single sign-on tools. They are
federated systems protocols. In a federation, you can have multiple SP and IdP. There is
nothing that forbids SPs to work with multiple IdPs.
On Mon, Aug 13, 2018 at 9:46 AM, GARDAIS Ionel < [
mailto:ionel.gardais@tech-advantage.com | ionel.gardais(a)tech-advantage.com ] > wrote:
Hi list,
I have a question about the creation of the realms in Keycloak.
It may be SSO-101 but I can't figure the right answer.
As I understand it, a realm is a collection of clients sharing the same policies.
A user logged from one client in a realm will be authenticated in all other clients in the
same realm.
Say I have 3 apps AppA, AppB and AppC.
I want a user to be SSO'ed with AppA and AppB (not AppC).
I also want a user to be SSO'ed with AppB and AppC (not AppA).
I guess I need a realm covering AppA and AppB and another realm covering AppB and AppC.
However, most (if not all) clients I've seen only allow one IDP definition thus
forbids AppB to know both realms.
How to solve this ?
Regards,
Ionel
--
232 avenue Napoleon BONAPARTE 92500 RUEIL MALMAISON
Capital EUR 219 300,00 - RCS Nanterre B 408 832 301 - TVA FR 09 408 832 301
_______________________________________________
keycloak-user mailing list
[ mailto:keycloak-user@lists.jboss.org | keycloak-user(a)lists.jboss.org ]
[ https://lists.jboss.org/mailman/listinfo/keycloak-user |
https://lists.jboss.org/mailman/listinfo/keycloak-user ]
--
Rafael Weingärtner
--
232 avenue Napoleon BONAPARTE 92500 RUEIL MALMAISON
Capital EUR 219 300,00 - RCS Nanterre B 408 832 301 - TVA FR 09 408 832 301
8:23 a.m.
Well, I am only starting using Keycloak (so, I do not have deeps insights
of its design). However, I do have a background with Identity and access
management systems (as an academic).
Having said that, Keycloak does not replace ABAC. Quite the opposite, it
implements/supports protocols (OpenID Connect and SAML) that enable you to
execute access control of your applications using ABAC (and of course all
of the identity federation stuff). Also, as far as I understood, each realm
in Keycloak can behave as an independent IdP.
On Mon, Aug 13, 2018 at 10:19 AM, GARDAIS Ionel <
ionel.gardais(a)tech-advantage.com> wrote:
Thanks for your reply, Rafael.
What are realms for if this can be solved with a single-realm and ABAC ?
When are realms a better option to consider over ABAC ?
------------------------------
*De: *"Rafael Weingärtner" <rafaelweingartner(a)gmail.com>
*À: *"Ionel GARDAIS" <ionel.gardais(a)tech-advantage.com>
*Cc: *"keycloak-user" <keycloak-user(a)lists.jboss.org>
*Envoyé: *Lundi 13 Août 2018 14:59:43
*Objet: *Re: [keycloak-user] [Conception] how to define a suitable realm
Well, it is an ABAC (attribute-based access control) system. You can use a
single realm and add an attribute let’s say X with value Y that is
requested by AppA and AppB. Then, you add this attribute to all users that
need access to AppA and AppB. The same for your case of AppB and AppC.
Also, bear in mind OpenID Connect and SAML are not just single sign-on
tools. They are federated systems protocols. In a federation, you can have
multiple SP and IdP. There is nothing that forbids SPs to work with
multiple IdPs.
On Mon, Aug 13, 2018 at 9:46 AM, GARDAIS Ionel <
ionel.gardais(a)tech-advantage.com> wrote:
> Hi list,
>
> I have a question about the creation of the realms in Keycloak.
> It may be SSO-101 but I can't figure the right answer.
>
> As I understand it, a realm is a collection of clients sharing the same
> policies.
> A user logged from one client in a realm will be authenticated in all
> other clients in the same realm.
>
> Say I have 3 apps AppA, AppB and AppC.
> I want a user to be SSO'ed with AppA and AppB (not AppC).
> I also want a user to be SSO'ed with AppB and AppC (not AppA).
>
> I guess I need a realm covering AppA and AppB and another realm covering
> AppB and AppC.
> However, most (if not all) clients I've seen only allow one IDP
> definition thus forbids AppB to know both realms.
>
>
> How to solve this ?
>
> Regards,
> Ionel
>
> --
> 232 avenue Napoleon BONAPARTE 92500 RUEIL MALMAISON
>
<https://maps.google.com/?q=232+avenue+Napoleon+BONAPARTE+92500+RUEIL+MALM...
> Capital EUR 219 300,00 - RCS Nanterre B 408 832 301 - TVA FR 09 408 832
> 301
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
--
Rafael Weingärtner
--
Rafael Weingärtner
2823
days inactive
2823
days old
3 comments
2 participants
participants (2)
-
GARDAIS Ionel -
Rafael Weingärtner