How to do multi-tenant with Keycloak
When people want to achieve multi tenancy on Keycloak, they often have 2 main ways :
1 realm per tenant
The simple and obvious way. You get proper isolation with different realms, each one having potentially different login page/theme for branding for example. But it comes with some drawbacks that need to be known going down that path.
Pros
Easy to reason about
Cons
Make sure that the usecase does not imply that the same user can not access different realms at the same time. BPopularError creating XXXXX: java.lang.RuntimeException: Script upload is disabled
If you can not import a realm in Keycloak, this might help you if this is related to the removed feature Script uploadSome readersWhat's the difference between self-hosted Keycloak and Cloud-IAM?
The answer depends on the size of your Ops team as well as its level of maturity on DevOps practices.
To get your self-hosted Keycloak running you need to consider:
Installation
Configuration management
Supervision and alerting
Backups
Patch Management
Upgrade management, each new version must be qualified
Security hardening and infrastructure updates
When our Cloud-IAM expert team setup self-hosted Keycloak clusters for our consulting clients, it can take between 20 and 25 dayFew readersWill I be able to bring back Keycloak to my infrastructure later?
There is no vendor lock-in with Cloud-IAM and there will never be.
We provide unrestricted access to production-ready Keycloak environments.
You can completely test or do a PoC to increase your skills on Cloud-IAM and if you want your data back in your infrastructure, they will be integrable without problem.
We believe you will stay with us — like our other happy customers — because you won't be able to have our level of operation and reliability if you bring back Keycloak to your own infrFew readersHow to migrate to Cloud-IAM and import my customer and user base?
When migrating for a self-hosted Keycloak version to Cloud-IAM fully managed version most customers need to export their full Keycloak configuration including realm configuration, users, client configurations, user federation and so on.
Depending on the database size, customization, extensions, existing infrastructure, several options are possible.
Keycloak export as JSON
This option is suitable for small deployment that tolerates a data freeze for a few hours.
This process is slow and canFew readersHow are Keycloak version upgrade handled at Cloud-IAM
One of the key of security, is to keep the software up-to-date to avoid exploit of known issues.
The team is responsible of keeping the underlying infrastructure secured and up to date.
Cloud-IAM follows the Keycloak release cycle and keeps your deployments up-to-date.
Every time Keycloak releases a new version, our QA team check that the new version is fully functional with all our processes.
Once ready, the new version is available to our customer.
Steps
As minor versions are usually buFew readersPassword blacklist
Password complexity remains one of the key to keep the user's identity safe.
Keycloak offers various configuration to ensure minimum requirements regarding the user passwords.
A good practice is to forbid serval passwords that are known to be unsafe because there are too often used.
All the deployments come with a predefined list of the top 10 000 worst passwords.
Simply add the Password blacklist policy referencing the file top-10000.txt.
Configuration example (https://storage.crisp.chFew readers
