How to properly do delegated user self-administration with Keycloak

Question

I’ve got questions on how to properly do delegated user self-administration with Keycloak.

Some background information:

• We are working with hundreds or even thousands of organizations for which we want to manage access to our applications.
• Some of these organizations are our internal divisions for which we have active directories. Users from these organizations can be integrated through “User Storage Federation” and they will continue to be maintained in the respective directories.
• Some of these organizations are part of larger organizations which have proper identity providers. Users from these organizations can be integrated through “Identity Brokering” and they will continue to be maintained in the respective identity providers.
• For the remaining external organizations (and there are a lot of them) we would have to maintain user accounts ourselves and we would like to delegate that maintenance work to a designated user self-administrator within the external organization.
• A user self-administrator should be able to view, create, lock and unlock user accounts within the same organization.
• Optionally a user self-administrator should be able to grant or revoke access to particular (sets of) applications for the users he is allowed to administer.

I do understand that this could probably be achieved through separate realms and “Dedicated Realm Admin Consoles”, but as far as I understand these realms would be entirely separate. This would mean that we would have to set up clients hundreds of times for each of the organizations. We would have to figure out how to direct each user to the proper realm for authentication and each organization would have its own login page.

• Does Keycloak have something like the notion of “sub-realms” where a user can authenticate against a realm, if there is a corresponding user account in the realm itself or in one of the sub-realms?
• It is probably possible to use the “User Storage SPI” to write a custom User Storage Federation Provider, but does that make sense? Would it perform well?
• Another option would probably be to write a custom User Self-Administration application using the “Admin REST API”. (Unfortunately there is not even an API to retrieve users filtered by anything other than base properties, so the application could end up retrieving thousands of user accounts to find five accounts belonging to a particular organization.)
• The third option would be to customize Keycloak itself, but we are no Java experts, so is this advisable?
• Has anyone implemented a scenario like this with Keycloak?
• Does anyone know whether there are any plans to extend Keycloak to better support a scenario like this?

Thanks, Michael

Answer 1

KeyCloak has a preview feature that could potentially be used: Fine Grain Admin Permissions. As the name implies it allows to control the administration permissions at a fine granularity.

A potential setup could like so:

• Create a group (e.g. org-123) for each organization that requires self-administration in Keycloak.
• Add all users of that organization to group org-123.
• Create another group (e.g. org-123-admin) for the administrators of the organizations and assign the administrator users to it.
• Enable permissions on group org-123 and create a permission on this group:
  • Resource: the group org-123
  • Scopes: view-members and manage-members
  • Policy: new policy of type group that includes the group org-123-admin
• Assign the role query-users of the client realm-management to the administrator users

Administrator users should now be able to login to the dedicated console https://keycloak.domain-name.com/auth/admin/realm-name/console/#/realms/realm-name/users. They can search for users and will only find the users in the group org-123. And they can modify these users.

It depends on your use case whether this is fine-granular enough or not. Possibly the administrators can modify too many things on a user.