Disabling the Master Realm

Keycloak recommends limiting access to the Master realm, or operating without it altogether for improved security and separation of concerns.

Before proceeding with that approach, however, it’s critical to ensure that each of your other realms has at least one administrator with the appropriate permissions. Once this is in place, you can safely disable the Master realm and manage all other realms through their dedicated admin accounts.

To set this up:

Log in to the Master Admin Console at:
https://your-domain:port/auth/admin/master/console
From the Realms dropdown in the top-left corner, select the realm you want to configure.
Navigate to Groups under the Manage section to begin assigning the necessary roles and permissions, as shown in the screenshot below.

A generic realm, with default generated clients. Note the realm-management Client-ID

Under Groups Management, create a new group that will hold the necessary roles for administering this specific realm via the Admin Console (either web UI or CLI).

Once the group is created, go to the Role Mappings tab and assign all available roles under realm-management to the group, as shown in the screenshot below.

Next we add our realm admin user to the admin group; login to the realm console and verify: https://domain:port/auth/admin/YOUR_REALM/console

Once everything looks good, go back to your master realm, and disable it.

After disabling the realm you won’t be able to log into it.

To Re-Enable the Master Realm, use the following instructions.

Note: I could not find a better way to do this.

Update the enabled flag to true in the realm database table:

update  realm set enabled=true where id = 'master';

Stop the Keycloak Service
Remove the standalone/data directory
Start the Keycloak Service

Disabling the Master Realm

Share this: