xgp
commented
1 year ago @Frank-D Thanks for the great questions and considerate writeup. Let me briefly try to answer your questions, and then we can follow up with more detail if necessary:
Q1 - We have a customer using it with just over 10k organizations with no problems. We haven't tested for theoretical limitations.
Q2 - Yes that is possible. It is implemented using the normal "ootb" Keycloak implementations. It uses some additional models related to the org and some authenticators to direct the user (based on email domain, or by directly selecting their org) to the appropriate IdPs.
Q3 - Our current strategy is to release for each version Keycloak releases. We have several patches and some acceptance tests for our patches and extensions, so the timing will depend on difficulty of merging the patches and any incompatibilities that are introduced.
Q4 - There is no ability to preserve the functionality without the extensions installed.
Q5 - This is a great place to ask questions right now. We (Phase Two) are going to add a place (probably our own Discourse installation or Github issues in a separate repo) for questions, but that's not done.
Frank-D
That’s quite an interesting extension to Keycloak, I’ll definitely give it a try, as I’m currently building a mutli-tenants saas and was looking at oss iam tools such as keycloak to solve my identity/auth. requirements, but after several readings on the topic, it seems like its ootb multi-tenants support is far from ideal, which has made me start looking at other oss iam solutions.
@xgp, one of the main limitation that I’ve read about keycloak multi-tenants support is with the 1 tenant per realm approach recommendation where it seems like after hitting around 400 tenants/realms, keycloak becomes unusable / very slow, I’m sure you’re aware…
(I’m not even evaluating the other keycloak multi-tenants solution/suggestion of 1 realm total and then 1 tenant per group mapping, it feels a bit hacky to me and also comes with some more important limitations, such as I believe not able to map a very specific external org./tenant 'IDP' to the mapped tenant/group in keycloak when configuring keyclaok to act as an ~identity broker (I believe external IDPs would apply to the entire realm ootb if I'm not wrong..), even though all this being a very common requirement in the multi-tenants b2b industry…)
Having said all that, I would have a few questions for you re that extension:
Q1- Do you know roughly how many tenants/organizations your extension can support, before keycloak starts to fall on its knees? If you don’t know, perhaps you know a minimum number that you know for sure still works pretty well, from the current production projects that you briefly mentioned above that are using your extension? (else, perhaps it would be interesting to run some kind of quick load/perf. testing about it, similar to what this guy has done here around number of created ‘realms’, but here in the case of this extension around ‘organizations’)
Q2- Can you confirm my below understanding re your explanation:
Does this allow me to configure unique & isolated external IDP(s) by organization/tenant (e.g. external idp A and B for org. 1, and idp C for org. 2)? Is this purely a UI/API admin configuration feature addition, or is there anything else I’m missing with this? Everything else is same as with keycloak ootb functionalities around external identities configs? (e.g., same protocols supported saml/oidc, email/domain mapping, idp-initiated supported, etc)
Q3- What is your docker images release strategy? e.g., I see that you released for instance latest keycloak version 20.0.3 (currently) patched with your extension the same day keycloak made the same version available (quite impressive!), going forward do you plan on always trying to keep up with their releases in a matter of days/weeks/months or even sometimes skip versions etc? I’m just trying to see what to expect if I start using your extension and depend on it for years to come what it may looks like… (obviously, no one has a crystal ball I understand that, so perhaps what are your short/mid term goals here…).
Q4- In preparation for the worst to manage expectations ahead of time, prior to selecting this nice extension, I’m wondering what would be a great ~opt-out migration strategy, if this extension ever stops being released/maintained, in order to get back on keycloak latest vanilla/ootb version? Would there be an easy way you think to extract all the custom data that this extension introduces (e.g. the new entities and relations to new or existing/ootb entities/models) by api? If yes, then I suppose one strategy could be to get a new realm created for each extracted organization (and then all the rest should follow, e.g. clients, users, roles, etc), would that make some sense to you?
Q5- Is creating questions/issues over here the best place to ask any other further questions about this extension, or is there any other ways / locations that is preferred? For instance, I tried posting the exact same message on this discourse topic, but my message was removed and been pending approval for several weeks as I am a new user to discourse, hence not the best experience for new discourse users like me wanting to try your extension but having questions..
I am seriously considering using this extension, especially since it seems to be supporting the current latest keycloak version at time of this writing, e.g. 20.0.3, even as a docker image, which is really great to me.
many thanks!