[keycloak-dev] groups vs. organizations
Bill Burke
bburke at redhat.com
Mon Aug 3 14:13:31 EDT 2015
On 8/3/2015 1:40 PM, Scott Rehorn wrote:
>
>
> Here's a possible summary:
> Groups:
> * have names
> * can contain other groups
> * can carry a 'schema' which represent available attributes (more generally, claims)
> * support mapping and aggregation from IdP-defined groups
> * can be assigned roles
>
> So user in a group gets that group's attributes, role associations, sub-group's role associations, sub-group's attributes.
>
Can you define "support mapping and aggregation from IdP-defined
groups"? Wouldn't this be something configured at each IDP rather than
in a group? The IDP would define a mapper that looked at some claim,
then associate the user with a Keycloak defined group based on the
claim...right?
I was also thinking that we might remove client roles and just move them
to groups. Migration would be that a group is created for each client
that has a set of roles defined. We have a few users that want to share
a set of roles between different clients.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
More information about the keycloak-dev
mailing list