[keycloak-user] Multi Tenancy

Bill Burke bburke at redhat.com
Mon Feb 24 20:31:29 EST 2014 

So you want to bind a URL to a specific adapter configuration? 
<secured-deployment> might have a <url-pattern> and/or keycloak.json 
might be expanded to do the same.

url-pattern could be /foo/bar/*

or even /foo/bar/{realm}/* and keycloak adapter would pull and match a 
realm configuration based on this?

More comments inline

On 2/24/2014 2:28 PM, Travis De Silva wrote:
>
> I had a look at your thoughts on how to do this with Aerogear. If I
> understand the concept correctly, with the UPS + Keycloak in one bundle
> option, we have to update the jboss wildfly config on the fly whenever
> we get new tenants. I did not think of this option and not sure if this
> could be done with wildfly without having to restart wildfly, but even
> if that is possible, that means we are going to have a large list of
> wildfly adapter profiles and I don't think that is practical. Just think
> even if we get 200 tenants, this is going to make it very complicated.
> Also I think the concept is one war per realm so this might not even be
> possible for a single application multi tenant model.
>

There's just no way around a large number of adapter profiles in your 
scenario.  Each realm has its own public key in which to verify tokens 
with.  Each of these public keys must be known to the adapter.

FYI:  Originally we were going to have Keycloak as a SaaS option hosted 
as one server on Openshift sso.keycloak.org or something.  Users would 
have been able to register and create their own realms.  It was decided 
that users might be a little scared of the idea of one database holding 
everybody's security metadata, so the idea switched to writing a 
cartridge which you could configure solely for your organization.  I 
guess what I'm saying is that a cartridge approach might be best in most 
scenarios.  Still I want to support your usecase as best we can.

BTW, I really appreciate the feedback.  Without users trying our stuff 
and giving us ideas on how they would like to use Keycloak, we'll never 
be successful.  Thanks.

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

More information about the keycloak-user mailing list