Keycloak for an enterprise SaaS

I’d like to get some advice on our use case and if this is one that other people have used Keycloak for. I’ve read some of the documentation on multi-tenancy however its still not clear in practice how this works as it talks a lot about adding specific configuration files.

Our use case is that we are a B2B SaaS product. We have a mixture of ‘shared’ environments in different regions (e.g EU and USA) plus some ‘private’ installations of our product which are still cloud based SaaS, but just hosted separately from the shared multi-tenant environments.

Currently we have standard username/password based auth for all of these, and each environment has its own database table with users.

Due to customer demand, we now want our clients to be able to configure SSO with their own identity service. For example;

Tenant A might use Azure AD, so they want to setup and configure all users in their own AD and just connect our app to this so users don’t need separate credentials.

Tenant B might use GSuite so wants to have this as a way to login.

Tenant C might just want to use usernames and password (along with 100’s of other smaller tenants).

The big question is is this all possible, and how is best to configure this? If we have multiple regions, is it best to have 1 single ‘global’ identity service for all mixed and private tenants? Or is it better to have a different keycloak instance per environment (or perhaps region)?

Is there a viable way to have admins (our customers) self manage this? Or would we need to do this ourselves for them on keycloak?

I really appreciate if anyone has been through similar or can point me in the direction of a case study as so far I haven’t found anything that covers this use case.

1 Like

Have a look at how other identity and access management vendors (e.g., Okta, Auth0) solve this problem and that will give you an idea as to which parts of the problem Keycloak can solve.

Also see: Multi-Tenancy - realm resolution based on username (email address)