[keycloak-dev] RFC: organizations

Stian Thorgersen stian at redhat.com
Tue Jul 28 03:04:16 EDT 2015

----- Original Message -----
> From: "Juraci Paixão Kröhling" <juraci at kroehling.de>
> To: keycloak-dev at lists.jboss.org
> Sent: Tuesday, 28 July, 2015 8:12:14 AM
> Subject: Re: [keycloak-dev] RFC: organizations
> Scott,
> On 07/28/2015 04:12 AM, Scott Rehorn wrote:
> > Proposal: introduce a new entity called "organizations" to provide a
> > means of delivering specific claim values to authenticated users known
> > in that organization
> >
> > Rationale: in our group at Dell Software, we have to support the notion
> > of tenancy within a single realm, but we are trying to avoid the term
> > ‘tenant’ as it’s too overloaded. Our typical use case is to use
> > Keycloak+our extensions as an external system which acts as identity
> > broker for a constrained set of IdPs and claims authority for users. If
> > we use realm-per-organization, then we wind up with a large set of
> > repeated IdP configurations. By introducing an entity for
> > “organizations” then we have a centralized place to store metadata for
> > users and related client/RP instances.
> We have a *very* similar use case and we have implemented the notion of
> "Organizations" (and "Personas") in Hawkular, in a module named
> "Hawkular Accounts". In our case, an user can belong to multiple
> organizations, and can have different roles within each organization
> ("Super User" in "Operations", but "Monitor" on "Marketing").

Can you not already model that in Keycloak by having a separate clients for "Operations" and "Marketing" with the corresponding roles?

> If our use cases converge, I think we should work together on this.
> Our code is currently located here and includes some documentation about
> how it works and what's our use case:
> https://github.com/hawkular/hawkular-accounts
> - Juca.
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev

More information about the keycloak-dev mailing list