Disabling the Master Realm

One of the recommendations from Keycloak, is to limit the access to the master realm, or use the system without it.

However, before we do so, you must first ensure that your other realms has an administrator that can manage it. After which, we can safely disable the Master realm and manage our secondary realms using their respective administrative accounts.

To do this, we should first login to the master admin console. That is, login to the default Keycloak Admin Console ( https://domain:port/auth/admin/master/console ). Select the realm that you want to manage from the Realms dropdown on the upper left, and click on Groups management as shown in the screenshot below.

A generic realm, with default generated clients. Note the realm-management Client-ID

Under Groups Management, we will add a new group that contains the roles to allow the management of this specific realm, through the admin console (web or command line).

In the new group, we will navigate to the Role Mappings tab and assign all the available roles for realm-management to the group as shown in the screenshot below.

Next we add our realm admin user to the admin group; login to the realm console and verify: https://domain:port/auth/admin/YOUR_REALM/console

Once everything looks good, go back to your master realm, and disable it.

After disabling the realm you won’t be able to log into it.

To Re-Enable the Master Realm, use the following instructions.

Note: I could not find a better way to do this.

  • Update the enabled flag to true in the realm database table:
  • Stop the Keycloak Service
  • Remove the standalone/data directory
  • Start the Keycloak Service
Advertisements

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.