I am trying to implement keycloak as an SSO for my company. I have created two realms, realm A and realm B. I want to use same set of users for both realms ie I need give access to users for both realms. Is it possible to do this in Keycloak?
11
votes
Curious. Why two realms?
– sdoxsee
Two realms because the applications are for two different companies but there are some users who have access to both systems. Is this a wrong design?
– Charlie
Yes. Like Boomerang said. You'll want the two realms since there are two companies and two separate user stores (even if some will be in both)...unless they really are like the same company and access to each company's apps and could be controlled via roles and permissions? (But most likely sounds like you want 2 realms since they are separate companies) for example, I had two realms for a benefits company and a payroll company since they are independent and have separate credentials but can SSO if they sign up for both services
– sdoxsee
It is actually two different companies but some users have access to both apps with roles. But the users don't want to have different logins for each application.
– Charlie
Yup. 2 realms then. The users need their own account for each company...cause what if they left one of the companies. SSO provides the means of letting them in with either credentials with distinct accounts for each user. Is it just authentication you care about or data synchronization and sharing as well?
– sdoxsee
2 Answers
16
votes
No that's not possible. Users are always realm specific. The only way would be to keep the users in an external store and integrate this external store via federation (UserStorageSpi) into both realms. But then you'll have to do all user management on the external store, as it is the primary source of your user data.
9
votes
Agreed with accepted answer that it's not possible.
You could treat realms as 'user pools' - a user should belong to one or another (identity) unless they are truly treated as two separate identities.
Then you could create a third realm that's used for Client connections, so the app only has to integrate with a single auth server. This third realm could then federate to the other two realms via Keycloak OpenID Connect.
Using this method, you could also provide groups/roles/permissions depending on where they were federated. Clients integrated with this realm would then be accessible by everyone in either realm - may require further RBAC enhancements to determine true access.
