Use Keycloak as third-party handler, without concrete users?


We are considering using Keycloak as a handler for our third-party authentication.

We do have multiple tenants, each of our tenants will have 0 or more third-party integration possible. For example, Tenant1 could have (Facebook) and Tenant 2 (Azure + Github). Our tenant will need to provide the according credentials to our team so we can confirm these identities provider.

First, I would like to have a confirmation: Each of our tenants should be a Keycloak Realm, and that Realm will have 0 to more Identity Provider.

In our implementation, we seek to keep the “Users” database on our ends and existing database.

Is there a setting to somewhat disable the user persistence in Keycloak? If no, what’s the recommandation?

In our implementation, we would validate the user’s email and the realm (so Tenant 2 cannot connect to Tenant 1).