Using keycloak for multiple users, multiple applications and multiple organsiations

We’re looking at implementing a SSO across all of our web applications. We have the following requirements:-

  1. Same user account for multiple websites. Some sites will only be accessible to a subset of users
  2. Must support the idea of organisations
  3. Should support roles with different levels of access
  4. Must integrate with Ruby on rails applications and wordpress.

My initial thoughts are:-

Use a single realm and create user accounts here
Create Roles for each level of access needed.
Create a top level group for each organisation, and sub groups for each role. Assign the role templates created previously to the relevant sub groups.
Assign the users to the relevant sub groups

In the application code use if statements, such as

if user is member of this subgroup, then give do this.

The eventual setup will be a keycloak cluster with a postgresql db, but at the moment we’re at the proof of concept planning stage.

Is there a better way of achieving this?

This is a common question among users of Keycloak. While Keycloak doesn’t have a native concept of Organizations, and thus, the need to have per Organization roles and permissions isn’t addressed, what you have suggested is a common way of addressing this use case.

Regarding RoR, I have used this library: GitHub - imagov/keycloak: Gem for add authentication to applications and secure services with Keycloak
Regarding Wordpress, I’ve used this OpenID Connect plugin: WordPress OpenID Connect Client – WordPress plugin | WordPress.org

Thanks for the links and confirmation, very useful.