[keycloak-user] [Conception] how to define a suitable realm

Rafael Weingärtner rafaelweingartner at gmail.com
Mon Aug 13 08:59:43 EDT 2018


Well, it is an ABAC (attribute-based access control) system. You can use a
single realm and add an attribute let’s say X with value Y that is
requested by AppA and AppB. Then, you add this attribute to all users that
need access to AppA and AppB. The same for your case of AppB and AppC.

Also, bear in mind OpenID Connect and SAML are not just single sign-on
tools. They are federated systems protocols. In a federation, you can have
multiple SP and IdP. There is nothing that forbids SPs to work with
multiple IdPs.

On Mon, Aug 13, 2018 at 9:46 AM, GARDAIS Ionel <
ionel.gardais at tech-advantage.com> wrote:

> Hi list,
>
> I have a question about the creation of the realms in Keycloak.
> It may be SSO-101 but I can't figure the right answer.
>
> As I understand it, a realm is a collection of clients sharing the same
> policies.
> A user logged from one client in a realm will be authenticated in all
> other clients in the same realm.
>
> Say I have 3 apps AppA, AppB and AppC.
> I want a user to be SSO'ed with AppA and AppB (not AppC).
> I also want a user to be SSO'ed with AppB and AppC (not AppA).
>
> I guess I need a realm covering AppA and AppB and another realm covering
> AppB and AppC.
> However, most (if not all) clients I've seen only allow one IDP definition
> thus forbids AppB to know both realms.
>
>
> How to solve this ?
>
> Regards,
> Ionel
>
> --
> 232 avenue Napoleon BONAPARTE 92500 RUEIL MALMAISON
> Capital EUR 219 300,00 - RCS Nanterre B 408 832 301 - TVA FR 09 408 832 301
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>



-- 
Rafael Weingärtner


More information about the keycloak-user mailing list