OpenTalk Multi-Tenancy
As of v0.2.0 of the OpenTalk controller, multi-tenancy is supported and enabled by default. This feature is mostly interesting for larger organizations and will become optional as of v0.3.0.
However, if you want or must use it (as per releasetag), it will require you to alter your Keycloak setup like follows, otherwise things will not work as expected.
Configuring Keycloak
- Create a new
Client scope
in your OpenTalk realm with the following parameters: 1.1 Name:tenancy
1.2 Type:default
1.3 Protocol:openid-connect
1.4 Checkboxes: all teh boxes - Navigate to the tab
Mappers
2.1 Click thenew mapper
button –>By configuration
2.2 ChooseHardcoded claim
- Fill relevant fields of the new mapper
3.1 Name:
tenant_id
3.2 Token Claim Name:tenant_id
3.3 Claim Value:OpenTalkDefaultTenant
3.4 save - Navigate to the
Clients
section of your realm and select yourOtFrontend
. - Click
Add client scope
and select the newly addedtenancy
scope asDefault
.
The new ID should have been added by default in the backend. You can verify this with the k3k-controller tenants
command: docker exec -it 123abcde /controller/k3k-controller tenants list
.
It should return something like:
id | oidc_id
--------------------------------------+-----------------------
c9677f8c-1234-1234-1234-12348b5b4bfd | OpenTalkDefaultTenant
This command can also set a new id using set-oidc-id
, but this would bring the users assigned tenand_id
out of sync if it already exists. Make sure that the id
equals the result of select tenant_id from users;
in the database k3k
.
Signature (thanks for reading):
Follow me on Mastdodon