[keycloak-user] Fwd: Multi-org salesforce with single realm keycloak
Anthony Fryer
anthony.fryer at gmail.com
Wed Jun 8 22:01:22 EDT 2016
Why do you say "very hard to get App1 to support multiple realms (no
adapter or keycloak support)"?
Keycloak does provide multi-tenancy support via the
KeycloakConfigResolver. See
https://github.com/keycloak/keycloak/tree/master/examples/multi-tenant.
The issue would be if your app can't use a keycloak adapter.
On Thu, Jun 9, 2016 at 10:05 AM, Jesse Chahal <jessec at stytch.com> wrote:
> Hi,
>
> I'm back again. I'm trying to figure out how scale Identity Providers.
> We are planning on trying to integrate our App1 with salesforce. A
> user who logs into salesforce should be able to have a native feel of
> our App1 within it. Todo this we'll probably have to end up building
> salesforce native apps. For every salesforce organization/licensee we
> will have to register an Identity provider with keycloak to make sure
> they can correctly use App1. Some configuration options we came up
> with are listed below. Has anyone else solved a similar problem?
>
> OPTION 1
> ########################################################
> # Keycloak
> #
> # ---> master realm
> #
> # ---> realm 1
> #
> # --- ---> app1_client (open ID)
> #
> # --- ---> salesforce_org1_saml2.0_identity_provider
> #
> # --- ---> salesforce_org2_saml2.0_identity_provider
> #
> #
> #
> # Salesforce
> #
> # ---> org1
> #
> # ---- ----> salesforce_appX (uses App1)
> #
> # ---> org 2
> #
> # ---- ----> salesforce_appX (uses App1)
> #
> # ---- ----> salesforce_appY (uses App1)
> #
> # .....
> #
> #
> #
> # App 1
> #
> # ---> OpenID to realm1 (using adapter)
> #
> ########################################################
> benefits
> - single login page
> - single realm
> cons
> - login page with infinite number of identity provider buttons present
>
>
> OPTION 2
> ########################################################
> # Keycloak
> #
> # ---> master realm
> #
> # ---> realm 1
> #
> # --- ---> app1_client (open ID)
> #
> # --- ---> salesforce_org1_saml2.0_identity_provider
> #
> # ---> realm 2
> #
> # --- ---> app1_client (open ID)
> #
> # --- ---> salesforce_org2_saml2.0_identity_provider
> #
> #
> #
> # Salesforce
> #
> # ---> org1
> #
> # ---- ----> salesforce_appX (uses App1)
> #
> # ---> org 2
> #
> # ---- ----> salesforce_appX (uses App1)
> #
> # ---- ----> salesforce_appY (uses App1)
> #
> # .....
> #
> #
> #
> # App 1
> #
> # ---> OpenID to realm1, realm2, realm#.... (using adapter)
> #
> ########################################################
> benefits
> - single salesforce button per login page
> - users are more isolated in single realm
> cons
> - very hard to get App1 to support multiple realms (no adapter or
> keycloak support)
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160609/621f5b27/attachment.html
More information about the keycloak-user
mailing list