Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Keycloak - Is it possible share a common set of users between realms?

I am trying to implement keycloak as an SSO for my company. I have created two realms, realm A and realm B. I want to use same set of users for both realms ie I need give access to users for both realms. Is it possible to do this in Keycloak?

like image 765
Charlie Avatar asked Nov 05 '17 12:11

Charlie


2 Answers

No that's not possible. Users are always realm specific. The only way would be to keep the users in an external store and integrate this external store via federation (UserStorageSpi) into both realms. But then you'll have to do all user management on the external store, as it is the primary source of your user data.

like image 96
Boomer Avatar answered Sep 23 '22 11:09

Boomer


Agreed with accepted answer that it's not possible.

You could treat realms as 'user pools' - a user should belong to one or another (identity) unless they are truly treated as two separate identities.

Then you could create a third realm that's used for Client connections, so the app only has to integrate with a single auth server. This third realm could then federate to the other two realms via Keycloak OpenID Connect.

Using this method, you could also provide groups/roles/permissions depending on where they were federated. Clients integrated with this realm would then be accessible by everyone in either realm - may require further RBAC enhancements to determine true access.

like image 42
Charly Avatar answered Sep 24 '22 11:09

Charly