[keycloak-user] [keycloak-dev] Keycloak 1.6.0.Final Released
Patrick Andreas Näf
p.naef at naef-itcom.ch
Wed Oct 21 09:53:03 EDT 2015
Here i have a similar requirement for a saas application. Need to have a
single login form for all users and when the user logs in, i have to
descide to which tenant (and server) a user belongs. Then i do a
redirect to the right server / tenant.
It's the same way most saas applications works (one login screen, then
you get redirected to the right server / application).
If we want to have one single login form for all tenants, then we can
only have the users in the same realm i think, because you must be sure
that all the users are unique.
But we also need a way to let a user log in into several tenants with
the same user. For that i plan to add a role for every tenant. If a user
has several such roles, he must choose to which tenant he wants to connect.
The application makes sure only a user with the correct role can use a
Maybe there is a better way to solve that?
The best way to solve it would be to allow a user to be in more than one
realm and support a way to test in which realms a user is. Then we can
login the user and test the realm(s).
But i think that wouldn't be possible because the hole design is
different. Maybe a "super realm" is possible that is a container for
Am 21.10.2015 um 14:46 schrieb Stian Thorgersen:
> I think the first question to ask is do you want to share users and
> config between tenants? If you do you should have a single realm, if
> not you should have separate realms.
> On 21 October 2015 at 14:38, Thomas Raehalme
> <thomas.raehalme at aitiofinland.com
> <mailto:thomas.raehalme at aitiofinland.com>> wrote:
> On Tue, Oct 20, 2015 at 8:20 PM, Stian Thorgersen
> <sthorger at redhat.com <mailto:sthorger at redhat.com>> wrote:
> Thousands should be no problem at all. Tens of thousands
> should be ok, but we'd have to test that. I guess you're
> building a public api or something since you're expecting that
> many clients?
> I have been thinking of various ways to utilize Keycloak in a SaaS
> application. A separate realm per tenant is probably the most
> natural option, but how about using a single realm with individual
> clients for each tenant, would that make any sense? I think it
> would have its advantages (eg. the SaaS service provider could use
> a single account to access any tenant, and tenants could register
> themselves as clients when being deployed?).
> Best regards,
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
Näf ITCom AG
Patrick Andreas Näf
CEO / Owner
MSc ETH Inf.-Ing.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the keycloak-user