问题
I am currently working on a distributed (multi-site) application capable of operating offline.
I would like to be able to configure each instance of Keycloak remotely and individually from a Keycloak administration instance. In addition, each instance has its own users, policies and permissions.
How can I achieve this?
回答1:
If you are new to Keycloak I would suggest starting by reading its documentation it will make your life easier when it comes to make decision.
In addition, each instance has its own users, policies and permissions.
From the Keycloak Documentation section Core Concepts and Terms one can read the following:
realms : A realm manages a set of users, credentials, roles, and groups. A user belongs to and logs into a realm. Realms are isolated from one another and can only manage and authenticate the users that they control.
Which seams suitable to cover that requirement.
I would like to be able to configure each instance of Keycloak remotely and individually from a Keycloak administration instance.
That is not possible, you can however, have multiple Keycloak instances doing Identity Brokering against the same Keycloak instance. From the documentation about Identity Brokering one can read:
An Identity Broker is an intermediary service that connects multiple service providers with different identity providers. As an intermediary service, the identity broker is responsible for creating a trust relationship with an external identity provider in order to use its identities to access internal services exposed by service providers.
From a user perspective, an identity broker provides a user-centric and centralized way to manage identities across different security domains or realms. An existing account can be linked with one or more identities from different identity providers or even created based on the identity information obtained from them.
With this approach a user would be redirected to the leading page of the main Keycloak instance, and then could chose to login to a specific Keycloak instance.
回答2:
You probably don't need different instances to do what you described. It seems more apropriate to use different realms. Realms have independent users, roles, groups, password policies and more.
回答3:
Keycloack can already handle multi-tenancy you don<t need to set up a Keycloack instance for each organization. Just define a specific realm for each organization.
来源:https://stackoverflow.com/questions/65489960/setting-up-a-multi-tenancy-application