[keycloak-user] [Conception] how to define a suitable realm

Rafael Weingärtner rafaelweingartner at gmail.com
Mon Aug 13 09:23:51 EDT 2018 

Well, I am only starting using Keycloak (so, I do not have deeps insights
of its design). However, I do have a background with Identity and access
management systems (as an academic).

Having said that, Keycloak does not replace ABAC. Quite the opposite, it
implements/supports protocols (OpenID Connect and SAML) that enable you to
execute access control of your applications using ABAC (and of course all
of the identity federation stuff). Also, as far as I understood, each realm
in Keycloak can behave as an independent IdP.

On Mon, Aug 13, 2018 at 10:19 AM, GARDAIS Ionel <
ionel.gardais at tech-advantage.com> wrote:

> Thanks for your reply, Rafael.
>
> What are realms for if this can be solved with a single-realm and ABAC ?
> When are realms a better option to consider over ABAC ?
>
>
> ------------------------------
> *De: *"Rafael Weingärtner" <rafaelweingartner at gmail.com>
> *À: *"Ionel GARDAIS" <ionel.gardais at tech-advantage.com>
> *Cc: *"keycloak-user" <keycloak-user at lists.jboss.org>
> *Envoyé: *Lundi 13 Août 2018 14:59:43
> *Objet: *Re: [keycloak-user] [Conception] how to define a suitable realm
>
> Well, it is an ABAC (attribute-based access control) system. You can use a
> single realm and add an attribute let’s say X with value Y that is
> requested by AppA and AppB. Then, you add this attribute to all users that
> need access to AppA and AppB. The same for your case of AppB and AppC.
>
> Also, bear in mind OpenID Connect and SAML are not just single sign-on
> tools. They are federated systems protocols. In a federation, you can have
> multiple SP and IdP. There is nothing that forbids SPs to work with
> multiple IdPs.
>
> On Mon, Aug 13, 2018 at 9:46 AM, GARDAIS Ionel <
> ionel.gardais at tech-advantage.com> wrote:
>
>> Hi list,
>>
>> I have a question about the creation of the realms in Keycloak.
>> It may be SSO-101 but I can't figure the right answer.
>>
>> As I understand it, a realm is a collection of clients sharing the same
>> policies.
>> A user logged from one client in a realm will be authenticated in all
>> other clients in the same realm.
>>
>> Say I have 3 apps AppA, AppB and AppC.
>> I want a user to be SSO'ed with AppA and AppB (not AppC).
>> I also want a user to be SSO'ed with AppB and AppC (not AppA).
>>
>> I guess I need a realm covering AppA and AppB and another realm covering
>> AppB and AppC.
>> However, most (if not all) clients I've seen only allow one IDP
>> definition thus forbids AppB to know both realms.
>>
>>
>> How to solve this ?
>>
>> Regards,
>> Ionel
>>
>> --
>> 232 avenue Napoleon BONAPARTE 92500 RUEIL MALMAISON
>> <https://maps.google.com/?q=232+avenue+Napoleon+BONAPARTE+92500+RUEIL+MALMAISON&entry=gmail&source=g>
>> Capital EUR 219 300,00 - RCS Nanterre B 408 832 301 - TVA FR 09 408 832
>> 301
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
>
> --
> Rafael Weingärtner
>
>
>
>


-- 
Rafael Weingärtner

More information about the keycloak-user mailing list