[keycloak-user] Fwd: Multi-org salesforce with single realm keycloak

Anthony Fryer anthony.fryer at gmail.com
Wed Jun 8 22:01:22 EDT 2016


Why do you say "very hard to get App1 to support multiple realms (no
adapter or keycloak support)"?

Keycloak does provide multi-tenancy support via the
KeycloakConfigResolver.  See
https://github.com/keycloak/keycloak/tree/master/examples/multi-tenant.

The issue would be if your app can't use a keycloak adapter.

On Thu, Jun 9, 2016 at 10:05 AM, Jesse Chahal <jessec at stytch.com> wrote:

> Hi,
>
> I'm back again. I'm trying to figure out how scale Identity Providers.
> We are planning on trying to integrate our App1 with salesforce. A
> user who logs into salesforce should be able to have a native feel of
> our App1 within it. Todo this we'll probably have to end up building
> salesforce native apps. For every salesforce organization/licensee we
> will have to register an Identity provider with keycloak to make sure
> they can correctly use App1. Some configuration options we came up
> with are listed below. Has anyone else solved a similar problem?
>
> OPTION 1
> ########################################################
> # Keycloak
>                               #
> # ---> master realm
>                           #
> # ---> realm 1
>                               #
> # --- ---> app1_client (open ID)
>                      #
> # --- ---> salesforce_org1_saml2.0_identity_provider
>     #
> # --- ---> salesforce_org2_saml2.0_identity_provider
>     #
> #
>                                      #
> # Salesforce
>                               #
> # ---> org1
>                                 #
> # ---- ----> salesforce_appX (uses App1)
>               #
> # ---> org 2
>                                 #
> # ---- ----> salesforce_appX (uses App1)
>               #
> # ---- ----> salesforce_appY (uses App1)
>               #
> # .....
>                                      #
> #
>                                      #
> # App 1
>                                  #
> # ---> OpenID to realm1 (using adapter)
>               #
> ########################################################
> benefits
> - single login page
> - single realm
> cons
> - login page with infinite number of identity provider buttons present
>
>
> OPTION 2
> ########################################################
> # Keycloak
>                               #
> # ---> master realm
>                           #
> # ---> realm 1
>                               #
> # --- ---> app1_client (open ID)
>                      #
> # --- ---> salesforce_org1_saml2.0_identity_provider
>     #
> # ---> realm 2
>                               #
> # --- ---> app1_client (open ID)
>                      #
> # --- ---> salesforce_org2_saml2.0_identity_provider
>     #
> #
>                                      #
> # Salesforce
>                               #
> # ---> org1
>                                 #
> # ---- ----> salesforce_appX (uses App1)
>               #
> # ---> org 2
>                                 #
> # ---- ----> salesforce_appX (uses App1)
>               #
> # ---- ----> salesforce_appY (uses App1)
>               #
> # .....
>                                      #
> #
>                                      #
> # App 1
>                                  #
> # ---> OpenID to realm1, realm2, realm#.... (using adapter)
> #
> ########################################################
> benefits
> - single salesforce button per login page
> - users are more isolated in single realm
> cons
> - very hard to get App1 to support multiple realms (no adapter or
> keycloak support)
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160609/621f5b27/attachment.html 


More information about the keycloak-user mailing list