We’re trying to create a SaaS with multi-tenancy, and would like to extract the tenant information (and hence the Keycloak realm to use) based on the username the user is trying to login as.
Is that possible? How?
Deciding which tenant a login belongs to can be done by either putting the tenant information in the application hostname, e.g.
https://customer1.oursaas.com or by looking at the username entered by the user, e.g.
And we’d like to extract the tenant/realm
customer1.com from the username entered. But how do we get around the chicken-and-egg situation, where we need to include the realm in the Keycloak URL but the realm is only known after the user has entered his username on the Keycloak server?
The Multi Tenancy documentation has a code example that shows code selecting a tenant based on
realm variables. First of all I think
realm are undefined in the example (tracked separately in KEYCLOAK-15065). But more importantly, the only input to:
public KeycloakDeployment resolve(OIDCHttpFacade.Request request)
is the HTTP request, so it doesn’t reveal how it is possible to extract the tenant/realm from the username. My guess is also that this method is called before the username has been entered by the user.
Further, Multi Tenancy says:
Multi Tenancy, in our context, means that a single target application (WAR) can be secured with multiple Keycloak realms. The realms can be located on the same Keycloak instance or on different instances.
And because of limitations on the number of realms per Keycloak instance we should be prepared to have multiple Keycloak instances since we will have many tenants and hence many realms.
So when the user hits the login link, we need to know both the Keycloak server and realm immediately in order to create the Keycloak URL, but the user hasn’t entered his username anywhere yet, so we don’t have any information to go on.
Please help! We’d hate to conclude that due to a Keycloak limitations, tenant determination is only possible based on application hostname , e.g.
https://customer1.oursaas.com not by looking at the username entered by the user, e.g.
Before anybody suggests just to add a dialog box in the application asking for the username, determine realm and Keycloak server from that and then redirect to Keycloak using the
login_hint GET param from the OIDC spec: That won’t work with SSO, where if the user is signed in applicationA and tries to login to applicationB, she should not be shown any dialog box at all, just be logged in immediately to applicationB. And only the correct Keycloak server knows whether the user is already logged in