Best practice for modeling multitenant company to employee relationship

Dear all,

we have a pretty common use case in my opinion so I am searching for a best practice how to setup Keycloak to support the requirements. Here are the requirements:

  • we will have 1 application that should be accessible by employees that are from different companies
  • the number of companies and users is dynamic as new companies can be registered to use the application
  • there should be 1 admin user for each company that can manage only his own employees (create, update, remove)

Can this be achieved with a single realm and multiple groups per company?

Hey Danoff,

in our company, we have similar requirements. Additionally, we need to secure multiple applications with keycloak.
I found an article that described how to set up a multi-tenancy authenticator in keycloak here: Using Keycloak for Multi-Tenancy With One Realm | by Dale Bingham | The Startup | Medium. However, this article does not describe how to enable administrative users to manage the users in their own group. I would suggest creating a custom web app that can be accessed by the group admins and utilizes the keycloak admin API to manage the users. This allows you to have full control over the actions of the group admins. Unfortunately, this is just a workaround and requires creating and maintaining the mentioned web app.
We are still searching for an optimal solution.

1 Like