How to tun two instances of keycloak - keycloak

My requirement is such that i have an application authenticated via keycloak. Suppose if my current keycloak fails i need a second instance of the keycloak to run in parallel without any downtime.
Can someone provide some reference on how to create 2 or more instance and such that if one fails the one one can continue providing authentication
Thanks,
Radhakrishnan

A clustered installation of Keycloak would allow for high availability and tolerate the failure of a single instance. The Keycloak and Wildfly documentation referenced below explain the particulars:
https://www.keycloak.org/docs/latest/server_installation/#_clustering
http://docs.wildfly.org/18/High_Availability_Guide.html#JGroups_Subsystem

Related

Keycloak Quarkus cluster replication

Good morning,
we have a use case that involves 2 different Windows environments, in which the applications should authz against a keycloak server.
The first environment contains the leading AD, which is replicated once a day into the second environment, since the second environment must not query the AD of the first one. This is a firewalling policy.
Now our thought is to use keycloak as a “bridge” between the two environments, having a keycloak server in the first environment reading the AD with user federation turned on.
In the second environment the keycloak server somehow replicates with the first one, in the best case via HTTPS (which could pass the firewall) so the applications and users in the second environment can authz with the same credentials as in the first environment.
Is there a way to achieve this or something similar?
thx in advance
Frank

Import client across multi-realms Keycloak

I want to config Keycloak to work across multi-tenancy / realms, so how to config client to work across multi-realms?
If you have a client application that is multi-tenant aware and every tenant is mapped to a different realm, different clients within a single realm, or a combination of both, you may want to implement a KeycloakConfigResolver in your client application and keep sepearate configs per client.
Assuming you are using Java and OIDC, check out the adpater documentation for multi-tenent support.

Does Keycloak need a database

I have setup Keycloak as a SAML broker, and authentication is done by an external IdP provided by the authorities. Users logging in using this IdP are all accepted and all we need from Keycloak is an OAuth token to access our system.
I have tried both the default setup using H2 and running with an external MariaDB.
The external IdP provides us with a full name of the user and a personal ID. Both data are covered by GDPR and I really do not like the sound of storing that data in a database running in the DMZ. Opening up for Keycloak to access a database in the backend is also not a good solution, especially when I do not need users to be stored.
The benefit of running without a database is that I have a simpler DMZ setup as I really do not need to store anything about the users but on the backend.
Do I need a database, and if not how do I run Keycloak without it?
Do I need a database, and if not how do I run Keycloak without it?
Yes, however, out-of-the-box Keycloak runs without having to deploy any external DB. From the Keycloak official documentation section Relational Database Setup one can read:
Keycloak comes with its own embedded Java-based relational database
called H2. This is the default database that Keycloak will use to
persist data and really only exists so that you can run the
authentication server out of the box.
So out-of-the-box you cannot run Keycloak without a DB.
That being said from the same documentation on can read:
We highly recommend that you replace it with a more production ready external database. The H2 database is not very viable in high concurrency situations and should not be used in a cluster either.
So regarding this:
The benefit running without a database is that I have a simpler DMZ
setup as I really do not need to store anything about the users but
on the backend.
You would still be better offer deploying another DB, because Keycloak stores more than just the users information in DB (e.g., realm information, groups, roles and so on).
The external IdP provides us with a full name of the user and a
personal ID. Both data are covered by GDPR and I really do not like
the sound of storing that data in a database running in the DMZ.
Opening up for Keycloak to access a database in the backend is also
not a good solution, especially when I do not need users to be stored.
You can configured that IDP and Keycloak in a manner that the users are not imported to the Keycloak whenever those user authenticate.

Keycloak should be deployed as a separate microservice, what does it mean?

What can it be for, what logic can be there?
I suppose there should be a connection to keycloak, maybe checking access to create roles and users, am I right or wrong?
It may mean that you need to deploy Keycloak in its own container, separate from the apps.

How to deploy multitenant Orion without direct MongoDB admin access

I am trying to deploy Orion on my own infrastructure, while using an hosted solution for MongoDB. With the hosting plans that I want to use, it is not possible to have access to the admin database.
Is there any way I can achieve multitenancy without access to the admin database?
I would like to have at least three tenants, but I can live with the fact that they must be created outside of Orion.
Current Orion version (0.22.0) uses admin database to authenticate in the case of multitenant. However, a workaround is possible: to set up different contextBroker processes (each one listening in a different port), each one running in mono-tenant way (i.e. without -multiservice enabled) with a different -db, -db user and -dbpwd.