Hello Anuj,
I usually tackle those use-cases with cross-realm identity brokering.
# Cross-Realm Identity Brokering
You might have all your internal users and internal clients in a realm like "acme-internal" if you are the acme company.
Perhaps you have some realms for customers like "acme-customers-1", "acme-customers-2", ... "acme-customers-N" where all users and clients of this particular customer reside.
You can now register an Identity Provider (Keycloak OIDC) in every "acme-customer-*" realm that points to the "acme-internal" realm.
For the Identity Provider in a customer realm, you also need a (confidential) OIDC target client in the "acme-internal" realm. For this, you can either use the generic "broker" client or create one or more dedicated confidential clients, e.g., one per "acme-customer-*" realm. I usually do the latter.
This setup allows users from the "acme-internal" realm to sign in to the "acme-customer-*" realms where the identity provider is configured.
When a user logs in via identity brokering, Keycloak will dynamically generate brokered user accounts for "acme-internal" users in the respective target "acme-customer-*" realm. Those users don't have a password and can (by default) only log in through the identity provider. Otherwise, those users are normal Keycloak users; you can assign roles to them, manage attributes, join groups, etc.
Note that the realms you connect via identity provider don't have to live in the same Keycloak system! Those realms could, in fact, come from completely different Keycloak systems, potentially running with different versions and use different authentication flows.
# Cross-Realm Identity Brokering and Global Apps Realm
In an extension of this model, you could also have a realm like
"acme-apps" where all the "acme-internal" and "acme-customer-*" realms are registered as Keycloak OIDC identity providers. This "acme-apps" realm can then provide clients, which can potentially be used by all users across all the realms.
# Cross-Realm Identity Brokering with LDAP Federation
This model is very flexible and can even be combined with an LDAP-based user federation. In this case, LDAP defines which users are present in a particular realm and what attributes and group membership they have but without providing any way to log in. The login is only possible through the identity provider and only for those users who are indeed listed in the particular LDAP federation.
Cheers,
Thomas