[keycloak-dev] management problems

Bill Burke bburke at redhat.com
Thu May 1 10:11:48 EDT 2014



On 5/1/2014 9:30 AM, Stian Thorgersen wrote:
> I'm wondering about what issues there are with having a single shared admin realm though. That seems the optional solution to me.
>

Isn't the issue multi-tenancy?

> Thinking about the unified console project that Thomas is in charge off it should be possible to login to have SSO to all admin consoles. For example SSO across EAP, Keycloak, AeroGear, consoles.
>
> ----- Original Message -----
>> From: "Stian Thorgersen" <stian at redhat.com>
>> To: "Bill Burke" <bburke at redhat.com>
>> Cc: keycloak-dev at lists.jboss.org
>> Sent: Thursday, 1 May, 2014 2:13:11 PM
>> Subject: Re: [keycloak-dev] management problems
>>
>>
>>
>> ----- Original Message -----
>>> From: "Bill Burke" <bburke at redhat.com>
>>> To: "Stian Thorgersen" <stian at redhat.com>
>>> Cc: keycloak-dev at lists.jboss.org
>>> Sent: Thursday, 1 May, 2014 2:08:17 PM
>>> Subject: Re: [keycloak-dev] management problems
>>>
>>> cross-realm user doesn't solve the problem of having an integrated admin
>>> experience for apps like Aerogear UPS.
>>
>> I know - not really related, just popped into my head while reading your mail
>>
>>>
>>> On 5/1/2014 5:23 AM, Stian Thorgersen wrote:
>>>> What are the downsides of having a "shared" admin realm?
>>>>
>>>> We can fine-grained access control, so individual admins/users can be
>>>> limited to only manage certain realms (or none at all).
>>>>
>>>> Another related thing is I wonder if we could share users (and maybe even
>>>> do sso) cross realms? I can imagine situations where people wants
>>>> multiple
>>>> realms to manage token settings, social settings, applications, etc, but
>>>> still want to let users have a single account, instead of one per-realm.
>>>> We already support authenticating users with a different realm, but I was
>>>> wondering if we could make it a more integrated feature, as well as
>>>> support sso.
>>>>
>>>> ----- Original Message -----
>>>>> From: "Bill Burke" <bburke at redhat.com>
>>>>> To: keycloak-dev at lists.jboss.org
>>>>> Sent: Thursday, 1 May, 2014 3:37:46 AM
>>>>> Subject: [keycloak-dev] management problems
>>>>>
>>>>> Our current "master realm" structure/design is deficient.  Consider an
>>>>> application like UPS that wants to use Keycloak to manage users.  This
>>>>> application would also have its own management console whose security is
>>>>> also managed by keycloak.
>>>>>
>>>>> My first thought is that you could define the application's management
>>>>> console as an application in the "master" keycloak realm.  This solution
>>>>> isn't a great one if the keycloak server is managing multiple realms.
>>>>> So, IMO not something we should recommend.
>>>>>
>>>>> Another option is to define admin roles within the application's realm
>>>>> itself.  These roles are assignable to users within the realm.  This
>>>>> would require rethinking of the Angular JS admin console and how things
>>>>> are authenticated and how people log-in.  We should probably treat this
>>>>> as SSO and have individual applications within the application realm,
>>>>> for example:
>>>>>
>>>>> UPS Realm registered applications:
>>>>>
>>>>> realm-management (keycloak admin console)
>>>>> aerogear-ups-management (ups admin console)
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Bill Burke
>>>>> JBoss, a division of Red Hat
>>>>> http://bill.burkecentral.com
>>>>> _______________________________________________
>>>>> keycloak-dev mailing list
>>>>> keycloak-dev at lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>>>
>>>
>>> --
>>> Bill Burke
>>> JBoss, a division of Red Hat
>>> http://bill.burkecentral.com
>>>
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com


More information about the keycloak-dev mailing list