Allowing Customers to Provide Their Own SAML Identity Provider

We are migrating our legacy application to use Keycloak as an identity provider.

Our application has multiple tenants/organization and right now we allow different tenants to configure their own SAML Identity Provider.

In Keycloak, we are going to use a single tenant for the entire application, since having a Keycloak tenant per application tenant will have too much overhead in terms of maintenance (We plan on having multiple applications that will work with Keycloak, all should have SSO)

Does Keycloak support a use case such as this? i.e. having multiple customer defined SAML Identity provider in a single tenant?

There’s no reason you can’t use the Admin API to create functionality that allows customers to set up their own SAML IdPs, but you should be careful about the permissions you give them. You’ll have to do some custom development, because there isn’t really a concept of an “owner” of an IdP, and you’ll probably have to have that concept for a specific role within a customer org (maybe defined by a group?).

Also, you should think about the login flow you want to enforce for this use case. Keycloak’s default behavior will be to create a button for every IdP on the login page, unless it is specified as “hidden”. There are a few threads on discourse and the mailing list about how people have solved this. I have seen:

  1. write a custom Authenticator that allows the user to input the name of the org (IdP alias), and redirect using idp_hint to the correct IdP
  2. segment IdPs based on email domain, store a mapping from email domain to IdP, write a custom Authenticator that takes the input of the UsernameForm Authenticator and redirects using idp_hint to the IdP found in the mapping
  3. use a subdomain (e.g. <idp_alias>, and write a reverse proxy rule and/or custom Authenticator that redirects using idp_hint to the IdP.

Let us know what you come up with.