[keycloak-user] [EXTERNAL] Re: Trust between two standalone Keycloak Instances

Stan Silvert ssilvert at redhat.com
Fri Jul 19 15:42:37 EDT 2019 

On 7/18/2019 2:38 PM, Aditya Bhole wrote:
> Hi Stan,
>
> We have 3 enterprise products deployed in their own environments. Now, some of our clients use all three products, some use just one and some use any two of them. Each product is a separate with its own bundled software and not related to the others. So what we want to do is to include Keycloak in each bundle. But there are cases where even from these unrelated products, we need an option for cross product transition.
So your customers should just install one instance of Keycloak.  If they 
want all three products to have SSO with each other then all the users 
should be in the same realm.  If they don't want SSO then each 
application would connect to a different realm.  But it could all be 
done with a single instance (or a clustered, redundant instance).

I get the impression that your product is running on the same instance 
as Keycloak?  That is not recommended.

My advice is not to let the packaging dictate the architecture.  It 
sounds like you will be forcing your customers to manage users spread 
across as many as three Keycloak instances.  I'm sure they would rather 
manage all their users in one place.

You haven't said why you might need domain mode.  Note that domain mode 
is not required for clustering Keycloak.  If you have only a handful of 
Keycloak instances, standalone clustered mode is simpler.  It sounds 
like that's the situation you are in.

If you are bound and determined to do things the hard way, look at the 
documentation on identity brokering in the Server Admin guide. It is 
possible to establish trust between Keycloak realms regardless of 
whether the realms live on the same instance or on different instances.


>
> For that to happen, we need to establish trust between all these separate Keycloak instances. So even if we deploy a new product with Keycloak in its bundle, we would just need to establish trust with the existing system of Keycloak Instances. So is there a way that a token generated by one of the Keycloak instances is accepted by the other Keycloak instances?
>
> Also, in domain mode, if we deploy two Keycloak instances separately as master, later if we decide to keep one as master and make the other one a slave, is that possible?
>
> And about the local settings, say for example, if I had to connect an LDAP for just one of the hosts, can that be done?
>
> Thanks,
> Aditya
>
> On 7/17/19, 3:05 PM, "keycloak-user-bounces at lists.jboss.org on behalf of Stan Silvert" <keycloak-user-bounces at lists.jboss.org on behalf of ssilvert at redhat.com> wrote:
>
> Yes, it can be done, but I still don't understand why you would want to
>      do it this way.  You can also establish trust between two realms on the
>      same server.  That way, you don't need multiple instances of Keycloak to
>      have the apps be fully walled off from each other.
>      
>      That being said, I still don't understand why you wouldn't just do it
>      the easy way.  Are you saying that sometimes you want SSO and sometimes
>      you don't?  I must be missing something from your use case.
>      
>      Lastly, the domain features of WildFly are just used to centrally manage
>      instances of the server.  These servers can be configured any way you
>      want.  I guess this depends on what you mean by "local settings".
>
>
>      On 7/16/2019 1:26 PM, Aditya Bhole wrote:
>      > I understand that deploying 3 clients under one realm will easily enable SSO. Even if we keep the clients in different realms, cross-realm trust can be established. But the use case of our prototype wants the clients to be on different servers. I’ll try to explain as best as I can.
>      >
>      > Our company has 3 products deployed independently and these are managed by different administrators. Sometimes these have to be integrated with each other for seamless cross product experience at which time we would want SSO between the individual product UIs. We intend to use Keycloak as a broker for authentication and to achieve SSO. So that’s why I wanted to know if trust between two standalone Keycloak instances can be established.
>      >
>      > Also, if we deploy the domain controller, can there still be local settings on the different Keycloak instances?
>      >
>      > Thanks,
>      > Aditya
>      
>      >
>      > On 7/15/19, 12:25 PM, "keycloak-user-bounces at lists.jboss.org on behalf of Stan Silvert" <keycloak-user-bounces at lists.jboss.org on behalf of ssilvert at redhat.com> wrote:
>      >
>      >      Why do you need each to have its own Keycloak instance?  A usual setup
>      >      would define all three clients in the same realm under the same Keycloak
>      >      instance.
>      >
>      >      On 7/15/2019 1:23 PM, Aditya Bhole wrote:
>      >      > Hello,
>      >      >
>      >      > I’m new to Keycloak and building a prototype SSO framework for my company. The use case is that my company has 3 clients; A, B and C. Now each client is going to have its own Keycloak instance; KA, KB and KC. Now what I want is when I login through client A I should be logged into client B and C as well. And same goes for all the clients. So for this to happen, is there a way of establishing trust between these three Keycloak instances KA, KB and KC?
>      >      > I’ve successfully established an SSO by using KA as a broker and KB as an IDP. But this is only a master slave kind-of an architecture. When I log in to A, I’m automatically logged into B. But if I log into B, I won’t be automatically logged into A. Is it possible for KA to be a broker for KB and KB to be a broker for KA at the same time?
>      >      > TL;DR :
>      >      > Is there a way where Keycloak only acts as a broker and trust is established between multiple such Keycloak instances?
>      >      >
>      >      > I hope my question makes sense. Please point me in the right direction if I’m looking at this in the wrong way.
>      >      >
>      >      > Thanks,
>      >      > Aditya
>      >      >
>      >      > _______________________________________________
>      >      > keycloak-user mailing list
>      >      > keycloak-user at lists.jboss.org
>      >      > https://lists.jboss.org/mailman/listinfo/keycloak-user
>      >
>      >
>      >      _______________________________________________
>      >      keycloak-user mailing list
>      >      keycloak-user at lists.jboss.org
>      >      https://lists.jboss.org/mailman/listinfo/keycloak-user
>      >
>      >
>      > _______________________________________________
>      > keycloak-user mailing list
>      > keycloak-user at lists.jboss.org
>      > https://lists.jboss.org/mailman/listinfo/keycloak-user
>      
>      
>      _______________________________________________
>      keycloak-user mailing list
>      keycloak-user at lists.jboss.org
>      https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

More information about the keycloak-user mailing list