Advice on how to create an application with multiple user lists

Hello,

I want to create an application in which I can register different companies, each with their own set of users and roles per user. These companies will then be able exchange data with each other, so in the backend, some sort of identifier of the sending company and the receiving company must be set on the data package.
Therefore, when a user logs in, I want to be able to extract the company for which he is logged in, from the token.
This identifier will then also be used in the backend to determine which user can view which data package (each user can only see data packages that are sent or received by his own company).
There will also be admins (such as myself), that will be able to configure newly connected companies to my application, and there will be company admins, who will be able to create new users only for their company.

Also, in the backend of my application, I want to keep a reference to each company and each user, to provide additional business configurations and to use in the relational model to keep track of who did what.
Ideally, companies and users can be configured in my own application and will be posted to keycloak via the api.

How can I create this setup in keycloak? How can I create a differentiation between each companies user list?

Kind regards,
Peter

You’re essentially describing a multi-tenant SaaS application. There are several recommendations for how to achieve this in Keycloak.

1. Realm per company. Hard to get right, and a lot of boilerplate for each realm.
2. Group per company. Simpler, but doesn’t do well with users that are members of multiple companies, and need to have different roles between them.
3. Organization per company. Solves the problems of the above, but requires an extension GitHub - p2-inc/keycloak-orgs: Single realm, multi-tenancy for SaaS apps