[keycloak-dev] Users and Realms
Stan Silvert
ssilvert at redhat.com
Fri May 17 06:27:15 EDT 2019
I think it's worth considering if we still have use cases without a good
solution.
On 5/16/2019 11:14 AM, Pedro Igor Silva wrote:
> Hi,
>
> As you know, currently users belong to a realm and as such, you can't share
> them across different realms. We always had people looking for alternatives
> about how to solve this problem where all the available options have their
> pros and cons.
>
> I would like to see what you think about decoupling users from realms in a
> way that user federation and management are completely decoupled from
> realms so that users (or group of users) can be *associated* with realms.
>
> As an example, here is how you would configure users and realms in Keycloak:
>
> 1) Configure your identity stores/user federation from where users will be
> fetched. Or create users in Keycloak.
>
> 2) Assign to your users a label or a logical group. This assignment could
> be done manually or even automatically depending on:
>
> a) default group where all users are in
> b) the identity store from where users are fetched
> c) based on the user's email (domain)
> d) anything else that makes sense
>
> 3) Create a realm and specify which users should belong to a realm based on
> these labels or groups. A realm should be able to have users with different
> labels/groups.
>
> The realm definition/configuration would not change much as it stands
> today. Each of them would still have their own way of managing realm
> specific groups and roles.
>
> Regards.
> Pedro Igor
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
More information about the keycloak-dev
mailing list