Multiple adminstartors

Hi community i have a question. Is it possible to create multiple administrator that can create new users but can not see the users that another administrator has created?
If it is a little unclear then here schematically:

  • AdminA creates userA1 and userA2
  • AdminB creates userB1 and userB2
  • But AdminB should not be able to see userA1 and userA2
  • likewise AdminA should not be able to see UserB1 and UserB2

Is it possible to implement it like this in keycloak?

No. The roles manage-users, query-users and view-users are as fine grained as it gets. The administrators with those roles can do it to all users within the realm.

Hi Jazzman

The way I would do it is by using separate realms in keycloak. Realms are a strong segregation of users.

So say you have Realm A, managed by Admin A and realm B managed by Admin B. Each admin are configured to only manage their own realms.

Then you have a 3rd realm for authentication that is usually called « broker » or by the name of your application that allow your Relying Party (ie the app) to connect and that is configured to redirect authentication (via identity providers in broker) to realmA or realmB according to some business logic

Hope that makes sense. If not I can help you with this config

Great suggestion @guenoledc. I didn’t think about doing it as separate realms.

Thank you for the suggestion. I will try to implement it and contact you again if I have any questions.

I have now created two realms I call them realmB and realmC. In both realms there are users.
Then I have a realmA which has a client.
How can I now connect realmA with realmB and realmC?

User calls —> client of realmA —> fetches the credentials of a user from realmB or realmC

Hi @jazzman

I will try to give you a procedure to link Ream1 with Realm2 using OIDC protocol:

  1. First in Realm2 set the Frontend URL field to the url you see in the browser (eg http://localhost:8080/auth/). This is important as it sets the issuer’s id of the Realm
  2. Copy the url address of the OpenID Endpoint Configuration link (something like http://localhost:8080/auth/realms/Realm2/.well-known/openid-configuration)
  3. Go to Realm1 and create a new “OpenID Connect V1.0” Identity Provider
  4. Set the alias as realm2 for instance and go to the bottom of the page and paste the url copied above in the Import from URL field and click Import. This will automatically fill the urls info of the Realm.
  5. Go to the middle of the page and set the Client Authentication to “send as post” or “send as basic auth”; set the Client ID as jazz-app (it will be the name of the client in Realm2) and set the Client Secret to “xxx” (for the moment, it will be set correctly later)
  6. Save the Identity Provider.
  7. Go to the top of the page and copy the Redirect URI field
  8. Now go back to Realm2, and create a new client, named jazz-app of Client Protocol “openid-connect” and Save
  9. Set Access Type to “confidential”; set the Valid Redirect URIs to the copied Redirect URI.
  10. Save the client. The Credentials tab appears, select it and copy the Secret.
  11. Go back to the Realm1’s realm2 identity provider and set the Client Secret with the copied secret, and save.

You should have a working setup. To test, go to Realm1 clients, click on the account base url (http://localhost:8080/auth/realms/Realm1/account/) and you should be displayed a login with realm2 at the bottom. Click it and you will be on Realm2 authentication screen and should be able to authenticate with a Realm2 user.

Then the Realm1 will receive the authentication and create automatically (some config can be done here) the user in Realm1 and return the authentication to the app (here the console app)

Then you can do the same with your app and see that you can connect.

Do the same with Realm3.

Try this and let me know

Thank you it works wonderfully! I still have one question. Is it possible to login to the login form without the “Use RealmB” button? I mean login directly without changing the realm?

Hi @jazzman

Yes indeed, in the url you send to keycloak from your app (/auth endpoint) you can add &kc_idp_hint=<alias> parameter to the querystring’s url to indicate keycloak he should redirect to the alias identity provider

Where is the value of the alias of the identity provider as defined in step 4 (eg realm2)

You can use other more sophisticated approach to control the idp hint parameter using « where are you from » mechanisms based on emails or cookies or other stuffs. This is not native in keycloak however but can be done with additional authenticators ( see my article