hi, im planning to do the same think , I want to know if it worked well for you , and if you managed to make same user to login in multiple realms, tnx
Hey, thank you very much for your explanation. Do you have some resource references for the "n Tenant Realms + 1 Application Realm" scenario? I can't find any example how to set this up.
Great video mate. I need 1 realm per tenant but saw several posts about performance issues with large numbers of realms. Will the new JPA storage solve that? We'll eventually have many thousands of realms with a small number of users each. Using Postgres as the db.
I'm trying to implement this situation right now and it's really confusing to choose the best way, since I don't have previous experiences with keycloack and multi-tenant
Thanks for the explanation. I just have one question when it comes to one realm and adding some custom SPI for organization/tenant feature. Is there any possibility to have a custom implementation for "access token life span" at tenant level? Currently, it can only be configured by realm and client level so I'm thinking about the use-case if client belongs to many tenants and they wanted to have different "access token lifespan". Thanks
Hello, I would like to assign the role "LDAP administrator of a realm" to a user who could administer the OU corresponding to the realm, so the user would be "base DN" in the LDAP settings and create the groups, roles and users with rights on this realm.
Very nice Vidéo! Some points notice fo the next one: - include some graphs: Looking at one person just talking is fun (kind of?) but a good graph a is worth a thousant explanation - For the option 3, qhat if we're using one UserStorage SPI for every realms ? 😂😂😂😂
Thanks Niko, I have one question though in one of my requirements is that different tenants should have different databases as well (one of the arch decisions other than the option of having single database with tenant identifier , here realmId) , is that possible in Keycloak ?
Thanks Niko for the explanation, Iam choosing Option 2 , but I want to know if its possible to make cross realms login for users , ir order to access clients in different realms, thanks
As I mentioned in the video, realms are level of isolation, there is no cross-anything! The only option would be identity brokering from one realm to another.
Thanks for the videos. Appreciate your contribution towards Keycloak community.
Thanks for posting this! It gave me confidence that I chose the right approach for my use case! (1 realm per tenant) 😄👍
hi, im planning to do the same think , I want to know if it worked well for you , and if you managed to make same user to login in multiple realms, tnx
Thank you very much, coming across your videos helped me and keeps helping me to gain more profound knowledge on Keycloak!
Great explanation ! Thanks you very much. Option 3 looks like an over-engineering , introducing additional complexities.
It always depends on the requirements. What looks like overengineering for you might be the proper solution for someone else.
New subscriber here. Thanks for the information, your a lifesaver
Hey, thank you very much for your explanation. Do you have some resource references for the "n Tenant Realms + 1 Application Realm" scenario? I can't find any example how to set this up.
Nice!
Great video mate. I need 1 realm per tenant but saw several posts about performance issues with large numbers of realms. Will the new JPA storage solve that? We'll eventually have many thousands of realms with a small number of users each. Using Postgres as the db.
Don't know. ¯\_(ツ)_/¯
I'm trying to implement this situation right now and it's really confusing to choose the best way, since I don't have previous experiences with keycloack and multi-tenant
good job
Thanks for the explanation. I just have one question when it comes to one realm and adding some custom SPI for organization/tenant feature. Is there any possibility to have a custom implementation for "access token life span" at tenant level? Currently, it can only be configured by realm and client level so I'm thinking about the use-case if client belongs to many tenants and they wanted to have different "access token lifespan". Thanks
AFAIK that's not possible without modifying core classes of Keycloak.
@dasniko Have you also videos about using Keycloak as a resource server?
Keycloak is an IdP, not a resource server!
Could you please share any design documents on the KeyCloack-multi-tenancy implementation?
A link to the repo is in the description.
Hello, I would like to assign the role "LDAP administrator of a realm" to a user who could administer the OU corresponding to the realm, so the user would be "base DN" in the LDAP settings and create the groups, roles and users with rights on this realm.
2 users A and B under same profile and Role. How can I restrict records of A to B and Vise versa in keycloak
Can you please let me know about this
Very nice Vidéo!
Some points notice fo the next one:
- include some graphs: Looking at one person just talking is fun (kind of?) but a good graph a is worth a thousant explanation
- For the option 3, qhat if we're using one UserStorage SPI for every realms ? 😂😂😂😂
Thanks Niko, I have one question though in one of my requirements is that different tenants should have different databases as well (one of the arch decisions other than the option of having single database with tenant identifier , here realmId) , is that possible in Keycloak ?
no
Thanks Niko for the explanation, Iam choosing Option 2 , but I want to know if its possible to make cross realms login for users , ir order to access clients in different realms, thanks
As I mentioned in the video, realms are level of isolation, there is no cross-anything!
The only option would be identity brokering from one realm to another.
@@dasniko Its a fair solution for me , but we want to make selective login between realms