Multi-Tenancy Web App with Keycloak

I wonder if using Keycloak for a multi-tenancy application is feasible. Is it easy to for example, configure a CMS so each tenant’s users gets their own personalized login theme?

Has anyone had experience with this before? Appreciate all answers.

Keycloak does not really support multi-tenancy.
There are different approaches, using different entities (groups, realms, etc.). The Keycloak project discussed this once somewhere in a GitHub discussion thread, to include something multit-tenancy support-like. But I don’t know about any status or timeline.

There’s the GitHub - p2-inc/keycloak-orgs: Single realm, multi-tenancy for SaaS apps extension, which can do a lot, but I don’t know about the theming thing, perhaps @xgp can tell you something about that.

See also my video about realms and multi-tenancy:

1 Like

I will for sure watch it! Thank you niko!

I’m using dasniko’s Option 2 (tenant realm) successfully with a customer. The downsides of the tenant realm approach listed in the video are acceptable because

  1. Identity providers are optional. Some tenants are offered a bring-your-own IdP but others don’t need it
  2. Clients vary. Though many tenants use the same clients, it wasn’t labor-intensive to create new clients for each realm
1 Like

Hi @Carl can you explain how you provided a URL for each customer to login? Did you have to create a subdomain or is there a method whereby realms can be matched on login attempt? I really don’t want to have to create a subdomain per customer.

Hi Mark,

I have a customer who relies on a convention where the subdomain is handled by a lightweight webapp that converts the subdomain part to a Keycloak Realm. That webapp is a dynamic router that picks up a client_id and redirect_uri too.

Ex

https://mysub.example.comhttps://mykeycloak.example.com/realms/mysub/protocol/openid-connect/auth?client_id=myapp&redirect_uri=https://myapp.example.com/mysub

Where mysub points to this routing app which forms the URL redirect to mykeycloak/mysub. Once the login is finished, you are redirected to the myapp/mysub.

The subdomain is not required. However, you’ll need some other piece of information like the path to look up the Keycloak realm, client_id, and redirect_uri.

Ex

https://myapp.example.com/mysubhttps://mykeycloak.example.com/realms/mysub/protocol/openid-connect/auth?client_id=myapp&redirect_uri=https://myapp.example.com/mysub/home

Good luck

Hi Carl
This is super helpful thanks, so essentially a facade front that then loads the correct login for the client.
Sounds like could be our best hope!

Thanks
Mark

Hi all, I just signed to :

  1. Thank @dasniko for all the amazing work done here, all the questions answered (for free), the advice given, the youtube videos, etc.
  2. Signal that starting with Keycloak 26, there is now support for Organizations in a Realm, that can (among other things) be used for many multi-tenancy cases.
    And of course, @dasniko has done a video about it !
    https://youtu.be/tY06l4KRHKk

I’m currently testing it, and it solves A LOT of my problems with previous versions !

1 Like