TL;DR
We’re trying to create a SaaS with multi-tenancy, and would like to extract the tenant information (and hence the Keycloak realm to use) based on the username the user is trying to login as.
Is that possible? How?
Details
Determining the realm during login
Deciding which tenant a login belongs to can be done by either putting the tenant information in the application hostname, e.g. https://customer1.oursaas.com
or by looking at the username entered by the user, e.g. fred.flintstone@customer1.com
.
And we’d like to extract the tenant/realm customer1.com
from the username entered. But how do we get around the chicken-and-egg situation, where we need to include the realm in the Keycloak URL but the realm is only known after the user has entered his username on the Keycloak server?
The Multi Tenancy documentation has a code example that shows code selecting a tenant based on path
and realm
variables. First of all I think path
and realm
are undefined in the example (tracked separately in KEYCLOAK-15065). But more importantly, the only input to:
public KeycloakDeployment resolve(OIDCHttpFacade.Request request)
is the HTTP request, so it doesn’t reveal how it is possible to extract the tenant/realm from the username. My guess is also that this method is called before the username has been entered by the user.
Multiple Keycloak Instances are Required
Further, Multi Tenancy says:
Multi Tenancy, in our context, means that a single target application (WAR) can be secured with multiple Keycloak realms. The realms can be located on the same Keycloak instance or on different instances.
And because of limitations on the number of realms per Keycloak instance we should be prepared to have multiple Keycloak instances since we will have many tenants and hence many realms.
So when the user hits the login link, we need to know both the Keycloak server and realm immediately in order to create the Keycloak URL, but the user hasn’t entered his username anywhere yet, so we don’t have any information to go on.
Please help! We’d hate to conclude that due to a Keycloak limitations, tenant determination is only possible based on application hostname , e.g. https://customer1.oursaas.com
not by looking at the username entered by the user, e.g. fred.flintstone@customer1.com
.
Application Dialog won’t work with SSO
Before anybody suggests just to add a dialog box in the application asking for the username, determine realm and Keycloak server from that and then redirect to Keycloak using the login_hint
GET param from the OIDC spec: That won’t work with SSO, where if the user is signed in applicationA and tries to login to applicationB, she should not be shown any dialog box at all, just be logged in immediately to applicationB. And only the correct Keycloak server knows whether the user is already logged in