we have different Subsystems and thought that it would be a good idea to set up a broker per subsystem. But then we found out that Keycloak SSO (login once and jump to another frontend without reentering credentials) is only possible if all clients/frontends are configured in the same realm.
I am very interested to know what the reasons are for the current implementation. Is it a missing feature or is this a security feature that the SSO is only allowed for clients of one realm?
Does someone know where I can find more informations about that? E.g. a specification how to implement that cross-realm SSO and how to extend Keycloak? Or a Specification that describes why it is not allowed to do that?