[keycloak-dev] RFC: organizations

Scott Rehorn srehorn at gmail.com
Mon Jul 27 22:12:08 EDT 2015

Hello Bill, Stian, and the rest of the keycloak-dev list from Dell Software
(software division of Dell Computers).

As Bill and Stian already know, our team at Dell has been integrating our
own extensions to Keycloak to build a SaaS-based identity broker, and Bill
and Stian suggested that we run the first of our main extensions out into
the mailing list for further discussion. Here is an overview to solicit
some first impressions and additional ideas in this area. We think this
extension is necessary for our own use cases, and, if it seems like a
broadly useful modification, then we can contribute the code for it.

Proposal: introduce a new entity called "organizations" to provide a means
of delivering specific claim values to authenticated users known in that

Rationale: in our group at Dell Software, we have to support the notion of
tenancy within a single realm, but we are trying to avoid the term ‘tenant’
as it’s too overloaded. Our typical use case is to use Keycloak+our
extensions as an external system which acts as identity broker for a
constrained set of IdPs and claims authority for users. If we use
realm-per-organization, then we wind up with a large set of repeated IdP
configurations. By introducing an entity for “organizations” then we have a
centralized place to store metadata for users and related client/RP

Example: clients A and B are SSO apps which both use KC for authentication
and authorization. If a user logs into client A, he is redirected to an IdP
(via Keycloak brokering) where he authenticates. After authentication, the
user of client A receives in his claimset additional assertions, e.g.,
subscriptionId=2057 and organizationName=CheeseCompany which are derived
from the org definition which says that the authenticated user belongs to
Cheese Company under a particular subscription. A different user in a
different organization would have a different subscription to and would
receive a different subscriptionId and organizationName.

Implementation strategy and code impact: our current implementation is
derived from the IdentityProviders model and exposes an API only at
'/organizations'.  We haven’t done the UI level, but it would be similar to
the identity providers UX (top-level admin managed item in left menu).

Relationship to ‘groups’: we think that the concept of organizations is
conceptually distinct enough to treat it as a hierarchical construct. An
organization can have IdPs and users it recognizes,  and such grouping of
related clients needing common assertions could be accomplished with
groups, but our current thinking is that the groups-everywhere approach is
a little too general – e.g., you **can** simulate relational database
semantics with tags and selections based on combinations of tags, but when
something is clearly hierarchical, why not use a hierarchy? Groups would be
a separate construct could then be treated as tags to enable multiple
memberships etc., much like roles are handled in KC now.

Thanks for your attention and we look forward to working with you.

- scott r
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20150727/d6a8e570/attachment.html 

More information about the keycloak-dev mailing list