Supporting multi-tenancy with Keycloak

Hi All,

I need some advice on how to use keycloak for a multi-tenant application. To start off I used what would be a natural way to use keycloak for a multi-tenant application and that is I created 1 realm per tenant. This works pretty well except that this approach has a scale issue. As soon as we go beyond the 400 realm mark we start seeing extreme slowness. With about 450 realms restarting keycloak did not work - it got stuck in some migration loop and would not come out of it.

Now I want to switch to some alternate scheme to achieve the same result. I am contemplating using a single realm and segregating tenant users by group - is this something that will work or would there be issues?

If someone has successfully built a multi-tenant application with keycloak I would like to hear from you.

Thanks.

I found the following Keycloak Multi Tenancy example:

This example demonstrates the simplest possible scenario for Keycloak Multi Tenancy support. Multi Tenancy is understood on this context as a single application (WAR) that is deployed on a single or clustered application server, authenticating users from different realms against a single or clustered Keycloak server.

Ref: Securing Apps - Multi Tenancy

Also, see:

• SaaS (Software as a Service) using Keycloak
• Emulating Tenants using Roles

Thanks @Robinyo for the pointers.

See also https://issues.redhat.com/browse/KEYCLOAK-4593
I found a hack to get RH-SSO working with 700+ realms in an acceptable way