[keycloak-dev] Realm templates

Stian Thorgersen sthorger at redhat.com
Wed May 18 08:04:16 EDT 2016 

Having links between realms like this is not great. It shouldn't matter if
two realms are on the same server or on different servers. In fact in a
SaaS environment you should most likely not have many tenants on a single
server and rather shard it.

It would also be a fairly tedious thing to implement. Realms would need
some inheritance, then there's the admin console to worry about. At the
moment there's not even a "shared" place for multiple realms, so no logical
place to create/edit realm templates.

Another thing is that in the future we plan to remove master realm concept
completely. Instead we'll have a trusted realm option that will use
identity brokering behind the covers. The idea is that a single admin can
manage multiple realms independently on what servers the realm are located
on. This would mean that an admin in reality can only manage a single
realm, but automatically authenticate to other realms to manage those as
well without re-authentication. There would be no cross-realm permissions
though, so no "master" realm admin that can manage realm templates.

On 18 May 2016 at 11:14, Thomas Raehalme <thomas.raehalme at aitiofinland.com>
wrote:

> Hi!
>
> I searched Jira and the mailing lists if realm templates have been
> discussed before, but didn't find anything. Apologies if I missed an
> already existing thread.
>
> What would you think of adding support for realm templates?
>
> The idea would be similar to client templates. One could define common
> properties in a realm template and create concrete realms based on the
> template. Whenever any of the common properties need to be changed, it
> would only be necessary to make the changes on the template instead of
> changing individual realms separately. Changes to the template would
> propagate to realms automatically.
>
> I would like to see at least realm settings and roles being defined on the
> template. Maybe also clients and groups. Identity providers would also be
> useful. Keys, certificates, users and various credentials would naturally
> be specific to each realm.
>
> If possible it would be great if one could choose to override the settings
> in the template so that the template would only define default values. But
> if it complicates the implementation too much I'm sure the feature is just
> as useful without this possibility.
>
> I think this would make the life of SaaS application developers with realm
> per tenant much easier as you would not need to write custom tools to
> automate change propagation to realms.
>
> Could this be something for 2.0?
>
> Best regards,
> Thomas
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20160518/fa8cf0bd/attachment-0001.html

More information about the keycloak-dev mailing list