Why would there be a need for more than 1 realm in Keycloak?

Question

I am new to Keycloak and have been reading the documentation. There is a term realm that I understand as a unique user/client management instance. Realms cannot communicate. I am curious why anyone would have more than 1 realm besides master. What would the use case be? What is the reason to have other realms than just master?

Answer 1

I am curious why anyone would have more than 1 realm besides master.

From the Keycloak documentation itself one can read:

Master realm - This realm was created for you when you first started Keycloak. It contains the admin account you created at the first login. You use this realm only to create other realms.

A realm defines a cosmos for users, permissions and with the option to use it for one or multiple applications.

Now assume you want to have multiple applications in one organization, and each application needs its own permissions.

If you put them all into one realm, you would mess up your complete settings, since your permission naming will contain ALL applications. Also you will need to define an enterprise mandatory naming scheme of the permissions and parameters. This may work, but what would happen if your enterprise acquires a new company without such a naming scheme?

So with the structuring of the realms, your security team can freely decide between how many applications are under the hood of ONE realm or each application has its own realm.

Answer 2

I dont know what the documentation said at the moment the question was asked but now in 2023 the documentation says:

"You create a realm to provide a management space where you can create users and give them permissions to use applications. ... When deciding what realms you need, consider the kind of isolation you want to have for your users and applications. For example, you might create a realm for the employees of your company and a separate realm for your customers. Your employees would log into the employee realm and only be able to visit internal company applications. Customers would log into the customer realm and only be able to interact with customer-facing apps."

So it's about of the semantics of what kind of user you plan to have in a realm. You would use 2 realms when you have 2 semantically definitely disjoint sets of user.

Other examples where you probably never want to mix user:

• You manage user-accounts for 2 different customers.
• You want to have a productive identitymanagement-system and a dedicated system for testing-purposes.