[keycloak-user] [keycloak-dev] Keycloak 1.6.0.Final Released

Patrick Andreas Näf p.naef at naef-itcom.ch
Wed Oct 21 09:53:03 EDT 2015

Here i have a similar requirement for a saas application. Need to have a 
single login form for all users and when the user logs in, i have to 
descide to which tenant (and server) a user belongs. Then i do a 
redirect to the right server / tenant.
It's the same way most saas applications works (one login screen, then 
you get redirected to the right server / application).

If we want to have one single login form for all tenants, then we can 
only have the users in the same realm i think, because you must be sure 
that all the users are unique.
But we also need a way to let a user log in into several tenants with 
the same user. For that i plan to add a role for every tenant. If a user 
has several such roles, he must choose to which tenant he wants to connect.
The application makes sure only a user with the correct role can use a 

Maybe there is a better way to solve that?

The best way to solve it would be to allow a user to be in more than one 
realm and support a way to test in which realms a user is. Then we can 
login the user and test the realm(s).
But i think that wouldn't be possible because the hole design is 
different. Maybe a "super realm" is possible that is a container for 
such users?

Best regards,

Am 21.10.2015 um 14:46 schrieb Stian Thorgersen:
> I think the first question to ask is do you want to share users and 
> config between tenants? If you do you should have a single realm, if 
> not you should have separate realms.
> On 21 October 2015 at 14:38, Thomas Raehalme 
> <thomas.raehalme at aitiofinland.com 
> <mailto:thomas.raehalme at aitiofinland.com>> wrote:
>     On Tue, Oct 20, 2015 at 8:20 PM, Stian Thorgersen
>     <sthorger at redhat.com <mailto:sthorger at redhat.com>> wrote:
>         Thousands should be no problem at all. Tens of thousands
>         should be ok, but we'd have to test that. I guess you're
>         building a public api or something since you're expecting that
>         many clients?
>     I have been thinking of various ways to utilize Keycloak in a SaaS
>     application. A separate realm per tenant is probably the most
>     natural option, but how about using a single realm with individual
>     clients for each tenant, would that make any sense? I think it
>     would have its advantages (eg. the SaaS service provider could use
>     a single account to access any tenant, and tenants could register
>     themselves as clients when being deployed?).
>     Best regards,
>     Thomas
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

Näf ITCom AG
Patrick Andreas Näf
CEO / Owner
MSc ETH Inf.-Ing.
Höhenweg 7
4917 Melchnau

web: www.naef-itcom.ch

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151021/a09c7cd3/attachment.html 

More information about the keycloak-user mailing list