We’re looking at implementing a SSO across all of our web applications. We have the following requirements:-
- Same user account for multiple websites. Some sites will only be accessible to a subset of users
- Must support the idea of organisations
- Should support roles with different levels of access
- Must integrate with Ruby on rails applications and wordpress.
My initial thoughts are:-
Use a single realm and create user accounts here
Create Roles for each level of access needed.
Create a top level group for each organisation, and sub groups for each role. Assign the role templates created previously to the relevant sub groups.
Assign the users to the relevant sub groups
In the application code use if statements, such as
if user is member of this subgroup, then give do this.
The eventual setup will be a keycloak cluster with a postgresql db, but at the moment we’re at the proof of concept planning stage.
Is there a better way of achieving this?