I want to know which database you using for 10k organizations…?, cause when I test Keycloak with 150 tenants using Mysql it hangs for a sec on the tenants’ landing page.
Please be more specific. Are you using the keycloak-orgs extension from the top of this thread? What is the test you are running? What is the “tenant’s landing page”?
Apologies for the confusion. To clarify, I would like to discuss the number of realms I have in Keycloak and the delay I experience when logging in using admin. This sparked my curiosity about how you are able to efficiently load 10,000 organizations. Would you be able to share which database you use or recommend using? For context, I currently use MySQL
@shankaryadavy9 The two things have nothing to do with one another.
There is a discussion about large numbers of Realms in Keycloak. Improved scalability over number of realms · keycloak keycloak · Discussion #11074 · GitHub
This keycloak-orgs extension handles large numbers of Organizations (10k+) independently of which database type is used.
If you have a question or curiosity, please start a new topic rather than hijacking another thread. If you believe the context of another thread is important to your question, you can always link to it in your new topic.
What is the difference of per-org roles vs per-group roles? If I make a group as an org, what is the difference? Just a terminology change from group to org as I can tell so far.
“per-group” means a mechanism of assigning either Realm or Client roles indirectly by associating a User with a Group. After that assignment, the user still only has a single set of Realm or Client Roles. For example, if a user is a member of Groups foo and bar, and foo grants manage-users and bar grants manage-users and manage-events, there is no way to determine where the mappings came from. The User just has manage-users and manage-events.
“per-org” means that the user is assigned the tuple of Organization and Organization Role (distinct from Realm or Client roles). For example, if a user is a member of Organizations foo and bar, and foo grants manage-users and bar grants manage-users and manage-events, then the user has manage-users IN foo, manage-users IN bar and manage-events IN bar (but not in foo).
This allows you to have Users who are members of multiple Organizations, but have completely different Organization Roles for each Organization.
Hi @xgp
I’m attempting to utilize your extension on my Keycloak 17.0.1, but I’m having trouble with the admin console UI. I don’t have any issues with the Docker image, but I’m not sure how to combine the phasetwo.v2 admin theme with my Keycloak. Can you provide any advice?
Current versions of the extension are not compatible with older versions of Keycloak.
For reasons independent of this extension (e.g. critical CVEs) you need to upgrade.
If you want to try out the most recent version of Keycloak with our extensions (orgs and the phasetwo.v2 admin UI theme), us our docker image: Quay
1 Like
Their repo is on github and please let me know if they can be integrated into the newer version of keycloak and do I have to pay anything to integrate these extensions? (not the docker image).]
It depends on how you plan to use it. Most use cases are free. More information on our licenses are here: GitHub - p2-inc/keycloak-orgs: Single realm, multi-tenancy for SaaS apps
Thank you for responding so quickly.
In the readme of orgs-repo there is mention of AdminUI, I looked at the Admin UI Theme repo but couldn’t find a way to install it, can you give me some suggestions?
You have to build it in that branch of Keycloak
git clone git@github.com:p2-inc/keycloak.git
cd keycloak/
git checkout 23.0.1_orgs_admin_ui
mvn package -pl :phasetwo-admin-ui -am -DskipTests
Then move the jar from js/apps/admin-ui/target/phasetwo-admin-ui-23.0.1.jar to your Keycloak distribution’s providers/ jar.
The reason we distribute this as a docker image is that there are several dependencies between the extensions, we only support the specific combination of versions we release together, and we don’t support any other means of distribution. A good way to debug is to look in the docker image and see what is there and how it is structured. Otherwise, you’re on your own.
1 Like
Hello @xgp thanks for these above suggestions, i get to know that Users can have different roles with orgs (explanation with foo and bar).
We need to also switch between orgs for a single User, for example when user logs in to application he needs to use FOO org and which ever roles assigned inside the org, but when user switches to BAR then his roles should also be changed as per org role mapping. we need user to be able to login to only 1 single org at a time and corresponding assigned roles in the org.
Using this keycloak extension is there a way to switch between Orgs for user among his assigned set of orgs?
There is currently a feature in development to allow an “active organization” to be set. See:
This will probably get merged in the next week or so.
I noticed, there is an entity Team. Not sure how to use it… could you please share any documentation related to this?
Those are old stubs. Nothing implemented.
Thanks for the quick reply; I was thinking it’s for sub-tenant(s) implementation. is that possible?
There has been some thought put into implementing “teams” or tiered Organizations (like Keycloak does Groups), but nothing has been implemented. Happy to accept proposals in this regard. Please open a discussion Issues · p2-inc/keycloak-orgs · GitHub if you wish to make a proposal.