Best practice for keycloak multi-tenancy

We have a use-case where we have a single/same product backend serving multiple organisations with their customised frontend sites and custom domains, but the backend is the same. The user pool is also one but every user belongs to one organisation.

I have implemented a user storage SPI too federate users from our DB and I can see users in keycloak and I can login also to keycloak with no problem. What I would like to achieve is restrict login a user from one organisation to login to another organisation website. What would be the best practice approach to achieve this. We will use direct grant login not having multiple keycloak login pages.

One option is having a custom parameter in post request which holds the info of the organisation id on login request. Then I would need to write a custom Authenticator?

Or maybe a different client-s foor every organisation, but how can then protect the API resources which is same for same organisations.

Or is it possible to solve it via scope, rules or groups?

Also interested in how this can be implemented. Currently considering if KC is the way to go for our product.

@simonC did you ever get an answer to this? If you ended up implementing this somehow in Keycloak, please share any insight.

I am also at a point where I am considering either the multi-realm approach, or a single-realm group-based approach. Or a different product altogether.

Not really sure how to implement either of the options correctly.

I wonder why Keycloak’s documentation is lacking in this area, I would assume that it would be a popular topic.

@nosan I have no solution yet … have you fond something in between, currently we have one realm with multiple clients per tennant … but now I have a problem how to have multiple web domains one for each client