How to authenticate users from different realms against a single application?

Dear all,

I have the following situation:

My application consists in a frontend and a backend micro service, which both authenticate themselves via the same realm on one keycloak server. This set-up has been used for development, but now I need to extend it to support multi tenancy, because in the future each customer (tenant) should get its own realm with individual user accounts. However, since the user’s realm must already be known before logging in, I am wondering if this is even possible with Keycloak.
An alternative would be to work with one single realm for all tenants and to do the mapping (users - tenant) via groups/roles. However, this is no suitable solution for me, as the tenants should not be able to see each other’s user accounts in keycloak. I need to have them in different realms.
So my question would be if there is any solution to authenticate users from different realms against a single application?

Your help will be much appreciated.

You can find a lot of discussions here and on the mailing lists about multi-tenancy. There is no one right way to do it.

The multiple realms can be IdPs to a single realm that is used by your application, but your customers must know which realm to use (some people have solved this with a custom authenticator that looks them up by their email address to route them to the correct IdP).

The single realm solution, with mapping done by groups is also a good solution. There is nothing that requires users to “see each other’s user accounts”, unless you are giving them that admin role.

A few docs:

• Using Keycloak for Multi-Tenancy With One Realm | by Dale Bingham | The Startup | Medium
• Securing Applications and Services Guide
• keycloak/examples/multi-tenant at master · keycloak/keycloak · GitHub

Also, a good ol’ search for “multi tenant keycloak” came up with a lot of great articles.