K
Q

Sync Users between different Keycloak instances

4/28/2020

I work for a multi company group. Each company has its own Network its own IT Admins and therfore its own Active-Directory. There is no possibility to connect the different Networks via VPN for e.g. The users of the companies can be identified from their email domain for e.g. jdoe@company-a.com and jdoe@company-b.com

My goal is to develop a global application for the whole company group.

I want to use Keycloak as Identity and Access Management.

The problem is that every user, which is member of defined groups, from all companies must have access / login / authorized to the centralized frontend and the decentralized backend (self programmed API proxy/gateway).

Here is a drawing of the current situation:

Draw.io Feel free to edit

Network draft

Suggestion:

  1. I would use a shared DB for the keycloak instances, but since there is no VPN it cant be done
  2. keycloak to keycloak user federation ?
  3. Use the other companies as idP and script a switch to the main keycloak?

Thanks in advance for your help :)

-- Stefan Höltker
active-directory
keycloak
kubernetes
ldap
openid-connect

Similar Questions

jenkins server not taking artifactory server details
Restart StatefulSet on file modification
Is there and "Event viewer" equivalent for dotnet web api running in a docker contain in azure kubernetes service?
Camunda kubernates deployment failed

1 Answer

5/4/2020

I would recommend dedicated "local" Keycloak in each company (with configured user federation to Active Directory). And one "global" Keycloak instance, which will have configured Identity Brokering to all "local" Keycloak instances. "local" admins will have still full power to manage their users and customize login theme. Users will have to select identity provider from the "global" Keycloak login page or apps may use client-suggested identity provider with kc_idp_hint query parameter.

-- Jan Garaj
Source: StackOverflow