[keycloak-user] Multiple tenants in a single realm
Shanon Levenherz
shanonvl at gmail.com
Fri Jun 2 09:03:41 EDT 2017
Hi there,
I’m looking to leverage Keycloak as the primary IdP for our SaaS platform. We have many tenants, each with their own sub-tenants ( their customers ) and would like to provide them with the ability to administer themselves (and enable sub-tenant users to admin the sub-tenant, etc). Based on my current research, which includes the multi-tenant example in the GitHub repo, it appears that multiple tenants are supported via separate realms. My current thinking is that I’d like to use a single realm as I’d like for a platform administrator (like myself) to be able to manage all users in a single place, use a group hierarchy to support multiple tenants, and apply roles to specific users in a group to eg. administer the users or create a sub group for a new tenant.
Something like this:
REALM
|
|- User 1 (user-admin role)
|
|- Tenant 1 Group
| |
| |- User 1.1 (user-admin role)
| |- User 1.2
| |- …
| |- User 1.n
|
|- Tenant 2 Group
| |
| |- User 2.1 (user-admin role)
| |- User 2.1
| |- …
| |- User 2.n
| |
| |- Tenant 3 Group
| |
| |- User 3.1 (user-admin role)
| |- User 3.2
| |- …
| |- User 3.n
From the above we’re looking for:
* User 1 is the realm/platform administrator and has full control over all groups/users
* User 1.1 is the administrator for Tenant 1
* User 2.1 is the administrator for Tenants 2 and 3
* User 3.1 is the administrator for Tenant 3
I came across this thread <http://lists.jboss.org/pipermail/keycloak-user/2015-October/003359.html> and specifically this comment from Bill Burke:
>I like that idea. A better alternative might be that each group has an
>"user-admin" role. If a user has the "user-admin" role of the group, it
>can administer users in that group and assign roles defined in that
>group. One thing to really think about is, what about sub-groups. Can
>an admin of the parent group administer sub groups?
This post is from October 2015, so I’m curious if the ability to grant specific roles to specific users in a specific group has been implemented at all? I can’t find anything about it in the docs. I also just noticed this JIRA issue <https://issues.jboss.org/browse/KEYCLOAK-3168> but am not sure if it’s the same thing.
Disclaimer: I’m new to Keycloak so maybe am misunderstanding and/or going about this incorrectly… please let me know if I can provide more information; I can provide a more complete description of my goals / requirements if that would help.
Thank you!
Best,
Shanon
More information about the keycloak-user
mailing list