[keycloak-user] Multi-tenancy applications

Stian Thorgersen stian at redhat.com
Thu Apr 9 08:37:01 EDT 2015


This is not something that we have on our road-map and even if we decided to add it would be a long time until we'd get to.

However, as I suggested this is something you can implement yourself using the admin rest api.

----- Original Message -----
> From: "Egor Kolesnikov" <egor.kolesnikov at fastlane-it.com>
> To: "Stian Thorgersen" <stian at redhat.com>
> Cc: keycloak-user at lists.jboss.org
> Sent: Thursday, 9 April, 2015 2:32:47 PM
> Subject: Re: [keycloak-user] Multi-tenancy applications
> 
> Hi Stan
> 
> Yes, that's what I thought - putting in some synchronisation smarts and
> locking down applications within tenants' realms.
> 
> Is this even on the roadmap? If we take a look at, say, Google - they have
> tenants (Google Apps for Business) who have their own domains, admins and
> users, and they also have applications accessible by all users of all
> tenants.
> 
> 
> ...on the other side, is it possible to use different approach and
> implement "tenant ID" as a User attribute within the realm?

No, everything we have is very fixed to the concept of being contained within a specific realm. Persistence, APIs, GUIs, etc are all built on that concept.

> 
> Cheers
> Egor
> 
> 
> 
> On Thu, Apr 9, 2015 at 10:11 PM, Stian Thorgersen <stian at redhat.com> wrote:
> 
> >
> >
> > ----- Original Message -----
> > > From: "Egor Kolesnikov" <egor.kolesnikov at fastlane-it.com>
> > > To: keycloak-user at lists.jboss.org
> > > Sent: Thursday, 9 April, 2015 4:58:12 AM
> > > Subject: [keycloak-user] Multi-tenancy applications
> > >
> > > I've been using Keycloak for quite some time now on a couple of
> > projects, and
> > > it's absolutely awesome - it just does the right thing, straight out of
> > the
> > > box.
> > >
> > > However, what I found quite confusing is the "Realm" definition which is
> > > missing from the documentation.
> > > I'm trying to add multi-tenancy support to our application and found it
> > a bit
> > > confusing. It seems that Keycloak's approach to multitenancy is "Realm
> > per
> > > tenant" - which makes sense, until it comes to realisation that the
> > > applications only exist within realms. This implies that if there are few
> > > hundreds of tenants (i.e. organisations using the application), the task
> > of
> > > changing application config (i.e. adding application-level role or
> > > adding/removing redirect URL) becomes maintenance nightmare.
> > >
> > > Is it at all possible to define a "global", not realm-confined
> > application in
> > > Keycloak? Would it be hard to implement? Happy to put some effort into it
> > > and send a pull request.
> >
> > It's not possible now and would require a lot of changes.
> >
> > The best idea I can come up with is to use the admin endpoints to automate
> > replicating the applications for multiple realms. Would be relatively easy
> > to write something that uses the application in one realm as a reference
> > and duplicates it to other realms.
> >
> > >
> > > A bit more context:
> > > - I have an webapp that serves multiple organisations.
> > > - Each organisation has its own users and admins (who can create users
> > and
> > > other admins).
> > > - There is a "Super" administrator who creates organisations and admins.
> > > - Webapp can recognise the organisation based on Company ID or domain
> > name.
> > >
> > > Many thanks in advance.
> > >
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user at lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> 
> 
> 
> --
> 
> Egor Kolesnikov
> Director
> Fastlane Solutions Pty Ltd
> m. +61(4) 6884 5909
> 


More information about the keycloak-user mailing list