Dedicated multi-tenancy / organization support for Keycloak
I recently had an interesting discussion with different customers where they told me that Keycloak fits very well for some use cases but not such well with others.
TLDR: Many customers need something like a realm with support for customization on the "tenant" or "organizational" level for specific realm settings (theme, domain/hostname) / components (IdPs, user federation) with generic client configurations. Are there already plans for such a feature?
What currently works well with Keycloak:
# EAIM In-house
- many different applications/services connected via OIDC, SAML
- users stored in an LDAP directory, Keycloak database, or external user store
- Integration with company IdP (ADFS, Azure AD, Okta, etc.)
- ~10s - 10000s of users (employees, external partners)
- Branded login, account theme
- Centralized user management
- single domain
-> This use-case works very well (flexible enough and reliable) with Keycloak today
# CIAM SaaS Product
- few (uniform) applications/services connected via OIDC, SAML
- users stored in the Keycloak database, external user store, or LDAP directory
- ~10s - millions of users (consumers)
- Offline Sessions for mobile apps
- Social Login
- Branded login, account theme
- Centralized user management
- single domain
-> This use-case works okayish (flexible, yes, but scale and reliability need quite some effort) with Keycloak today and scales with proper Keycloak configuration.
What doesn't work so well:
# CIAM Multi-tenant SaaS Product
- few (uniform) applications/services connected via OIDC, SAML
- applications might be tenant aware and allow branding/customization
- users stored in the Keycloak database or external user store, or LDAP directory
- ~10s - millions of users (employees and customers of a tenant)
- 10s - 1000s of tenants/organizations
- tenants/organizations users might come from different IdPs, user federations, databases
- multiple tenant-specific domains (staged environments per tenant)
-> IMHO, this use-case is currently not supported out of the box and, in some cases, not possible with Keycloak as it comes today.
To support tenant-specific IdPs or user storage federations, one must create a realm per tenant based on a template.
This approach currently hits a scalability limit (with a few 100 realms), which the new storage implementation might fix. However, even
if Keycloak would support an arbitrary number of realms, users would still need to use a templating mechanism to deal with that many realms, which
differ only in minor configuration (IdPs, user storage federation, etc.).
Other workarounds are to model tenants/organizations with groups in Keycloak, but this is difficult to manage and has limited use.
One can model organization structures with groups and store tenant/org-specific metadata. Still, things become difficult or impossible when you need to support tenant-specific users via dedicated IdP user storage.
Other auth solutions use a concept of an "organization" to express org/tenant-specific differences of a global configuration.
It would be great to have support for such an organizational concept.
In the Keycloak community, some folks already build interesting extensions like keycloak-orgs[1], which support organizations at some level. Still, those solutions are an add-on and require some maintenance effort to keep them working
with new Keycloak versions.
An alternative to an organizational layer could be a realm template/parent realm concept, where a realm could inherit settings from a parent realm
with support for overrides and additional configuration
However, it would be great if we had support for modeling organizations with dedicated / customization of:
- Identity providers
- Storage user federation
- custom domains
- auth-flows
- Groups
- Users
- Roles
- Keys
- Scopes
- Protocol mappers (with defaults to map orgId into token/assertions)
- User management with delegated administration -> organization admins can manage their users, configure their IdPs, etc.
The list above sounds like a dedicated realm-per-tenant model. However, I think most users only need to customize keys and IdPs with a logical segmentation of their users with support for delegated administration.
As I did not see a design proposal [2], I'd like to ask: Are there already any plans to support such a model?
Support for this would enable the usage of Keycloak in more scenarios which are currently barely possible with Keycloak, and increase Keycloak adoption rates.
[1] https://github.com/p2-inc/keycloak-orgs
[2] https://github.com/keycloak/keycloak-community/tree/main/design
--
You received this message because you are subscribed to the Google Groups "Keycloak Dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to keycloak-dev...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-dev/2dff9dc2-0a76-4770-b5eb-5b763c49ecd3n%40googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-dev/a4eeb373-6ea2-4889-9d8f-5d861e58c4cb%40app.fastmail.com.