I wonder if using Keycloak for a multi-tenancy application is feasible. Is it easy to for example, configure a CMS so each tenant’s users gets their own personalized login theme?
Has anyone had experience with this before? Appreciate all answers.
I wonder if using Keycloak for a multi-tenancy application is feasible. Is it easy to for example, configure a CMS so each tenant’s users gets their own personalized login theme?
Has anyone had experience with this before? Appreciate all answers.
Keycloak does not really support multi-tenancy.
There are different approaches, using different entities (groups, realms, etc.). The Keycloak project discussed this once somewhere in a GitHub discussion thread, to include something multit-tenancy support-like. But I don’t know about any status or timeline.
There’s the GitHub - p2-inc/keycloak-orgs: Single realm, multi-tenancy for SaaS apps extension, which can do a lot, but I don’t know about the theming thing, perhaps @xgp can tell you something about that.
See also my video about realms and multi-tenancy:
I will for sure watch it! Thank you niko!
I’m using dasniko’s Option 2 (tenant realm) successfully with a customer. The downsides of the tenant realm approach listed in the video are acceptable because
Hi @Carl can you explain how you provided a URL for each customer to login? Did you have to create a subdomain or is there a method whereby realms can be matched on login attempt? I really don’t want to have to create a subdomain per customer.
Hi Mark,
I have a customer who relies on a convention where the subdomain is handled by a lightweight webapp that converts the subdomain part to a Keycloak Realm. That webapp is a dynamic router that picks up a client_id and redirect_uri too.
Ex
https://mysub.example.com → https://mykeycloak.example.com/realms/mysub/protocol/openid-connect/auth?client_id=myapp&redirect_uri=https://myapp.example.com/mysub
Where mysub points to this routing app which forms the URL redirect to mykeycloak/mysub. Once the login is finished, you are redirected to the myapp/mysub.
The subdomain is not required. However, you’ll need some other piece of information like the path to look up the Keycloak realm, client_id, and redirect_uri.
Ex
https://myapp.example.com/mysub → https://mykeycloak.example.com/realms/mysub/protocol/openid-connect/auth?client_id=myapp&redirect_uri=https://myapp.example.com/mysub/home
Good luck
Hi Carl
This is super helpful thanks, so essentially a facade front that then loads the correct login for the client.
Sounds like could be our best hope!
Thanks
Mark
Hi all, I just signed to :
I’m currently testing it, and it solves A LOT of my problems with previous versions !