Best practice for keycloak multi-tenancy

We have a use-case where we have a single/same product backend serving multiple organisations with their customised frontend sites and custom domains, but the backend is the same. The user pool is also one but every user belongs to one organisation.

I have implemented a user storage SPI too federate users from our DB and I can see users in keycloak and I can login also to keycloak with no problem. What I would like to achieve is restrict login a user from one organisation to login to another organisation website. What would be the best practice approach to achieve this. We will use direct grant login not having multiple keycloak login pages.

One option is having a custom parameter in post request which holds the info of the organisation id on login request. Then I would need to write a custom Authenticator?

Or maybe a different client-s foor every organisation, but how can then protect the API resources which is same for same organisations.

Or is it possible to solve it via scope, rules or groups?

1 Like

Also interested in how this can be implemented. Currently considering if KC is the way to go for our product.