Keycloak multi tenancy with keycloak extension keycloak-orgs

[Ryan Turnbull]

Hello,

I'm looking for some guidance for this. Previously our companies server was ForgeRock OpenAM. Under that you could have a 'realm' per IdP configuration and then application agents would be configured under 1 realm - '/' or 'root'. On utilizing url on proxy, the user would be redirected to the customers IdP. There, user enters login and then is redirected back to site. The information would then traverse from the IdP realm to the root realm - the users information would then be readable by the application agent ( 1 application agent per application ).

Under keycloak - I don't think that is possible and research hasn't soon that is possible. I have used keycloak-quickstarts to deploy the appz-vanilla application to test deploy of application and to see if I could make an application have multiple realms. We need to keep all logs from companies on separate IdPs/separate realms because of different security needs by each.

I have also setup both 2 companies IdP's under 1 realm - However, this doesn't allow direct login choice to 1 IdP but shows two companies available to login on Login screen - we don't want to have a login screen. How does idp_hint(?) work into selecting IdP? Could that parameter be available on proxy - user goes to https://IdP-company.mycompany.domain and the http apache proxy forwards to https://testkeycloak.mycompany.domain/realms/testrealm/?idp_hint=IdP_setup_1

I have compiled and added to keycloak local keycloak-orgs ( keycloak extensions ). I have figured out how to use the extension through rest api, but there is really no instructions on how to correctly utilize this extension.

Anyway, my questions are the following:

Is multi tenancy possible in keycloak without extension? Ie, create "clients" on master realm, then each company gets their IdP configured under their specific isolated realm. Can this traverse from its realm to master realm and its clients?

As multi tenancy has been discussed in keycloak - specifically keycloak-orgs mentioned, do you have any use cases/setup/guidance on how to do that with keycloak-orgs?

If anyone has any ideas or any comments ( maybe setup is completely wrong ) please respond.