[keycloak-user] Picketlink -> Keycloak

Keith Dev keith.dev at pobox.com
Wed Jul 20 15:44:25 EDT 2016


Consider an independent contractor (user) that works for two companies
(tenant) on different projects (resource). Control of the project belongs
to the company, not the contractor, so the security artifacts (resources,
groups, roles) belong with the company. But we want to provide a user
interface to the contractor where they do not have to manage multiple
accounts.

Tiers in picketlink allow for each tenant to have their own set of groups
and roles (though they have duplicate meanings for each).

I'm open to any solutions, including revisiting one realm per tenant
(though I have some concerns
<https://issues.jboss.org/browse/KEYCLOAK-3067> about
whether or not keycloak is meant to support 1k+ realms).

Is that sufficient explanation?

Thanks, Keith

On Wed, Jul 20, 2016 at 2:18 PM Bill Burke <bburke at redhat.com> wrote:

> Define "tenant" and what it accomplishes and how you are using tiers to
> implement this functionality and I might be able to help.
>
> On 7/20/16 2:41 PM, Keith Dev wrote:
>
> I'm moving a web application with REST services from Picketlink to
> Keycloak. This is a multi-tentant application (1k+ tenants) where single
> user accounts can belong to multiple tenants. In Picketlink, this was
> accomplished using Tiers. So there is a single realm, but one Tier per
> tenant. Its not clear what the analog is in Keycloak.
>
> We considered multiple realms, but both the number of tenants and the hard
> requirement to allow a single user cross tenants seems to make this a
> nonstarter.
>
> The best idea we have so far is to have a single realm, but create
> namespaced security artifacts: e.g. Tenant1.Admins. This is not ideal as we
> were hoping for more separation between tenants. I did see this
> <http://lists.jboss.org/pipermail/keycloak-dev/2013-July/000116.html> which
> suggests that Picketlink Tiers equate to Resources, but its not clear how.
> Certainly there does not seem to be any separation of security artifacts
> within a Resource per se.
>
> Advice?
>
>
> _______________________________________________
> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160720/6777e42c/attachment-0001.html 


More information about the keycloak-user mailing list