Keycloak - Is it possible share a common set of users between realms?

Question

I am trying to implement keycloak as an SSO for my company. I have created two realms, realm A and realm B. I want to use same set of users for both realms ie I need give access to users for both realms. Is it possible to do this in Keycloak?

Answer 1

No that's not possible. Users are always realm specific. The only way would be to keep the users in an external store and integrate this external store via federation (UserStorageSpi) into both realms. But then you'll have to do all user management on the external store, as it is the primary source of your user data.

Answer 2

Agreed with accepted answer that it's not possible.

You could treat realms as 'user pools' - a user should belong to one or another (identity) unless they are truly treated as two separate identities.

Then you could create a third realm that's used for Client connections, so the app only has to integrate with a single auth server. This third realm could then federate to the other two realms via Keycloak OpenID Connect.

Using this method, you could also provide groups/roles/permissions depending on where they were federated. Clients integrated with this realm would then be accessible by everyone in either realm - may require further RBAC enhancements to determine true access.