Keycloak multi-tenancy extensions for SaaS applications
379 views
Skip to first unread message
Garth
May 9, 2022, 4:47:23 AM5/9/22
to keyclo...@googlegroups.com
Cross posting from here: https://keycloak.discourse.group/t/keycloak-multi-tenancy-extensions-for-saas-applications/15426
I've open sourced a set of Keycloak extensions that are focused on solving several of the common use cases of multi-tenant, SaaS (Software as a Service) applications that Keycloak does not solve out of the box.
I often read questions here and on the mailing list about how to support different "organizations" (or "tenants") in a single realm. There is no one approach that solves all of the use cases, but this is a solution that has worked well for several customers with public cloud, SaaS applications.
https://github.com/p2-inc/keycloak-orgs
Some of the features:
- **Organizations** are "tenants" or "customers" as commonly used. A Realm can have multiple Organizations.
- **Memberships** are the relationship of Users to Organizations. Users may be members of multiple Organizations. These relationships can be used in the token via a mapper.
- **Roles** are mechanisms of role-based security specific to an Organization, much like Keycloak Realm Roles and Client Roles. In addition to a set of standard roles related to Organization data visibility and management, administrators can create Roles unique to an organization. Users who are Members of Organizations can be granted that Organization's Roles. These relationships can be used in the token via a mapper.
- **Invitations** allow Users and non-Users (by email) to be invited to join an Organization. Invitations can be created by administrators or Organization members with permission. A custom authenticator processes accepting invitations and automatic organization membership.
- **Identity Providers** provide a subset of the Keycloak IdP APIs that allows Organization administrators to manage their own IdP.
Please refer to the [README](https://github.com/p2-inc/keycloak-orgs/blob/main/README.md) in the repo for more information.
A variation of this code has been built, enhanced and used in production for over two years. I made a few changes in the process of preparing the code for open source, so please let me know if you find any problems.
Enjoy!
I've open sourced a set of Keycloak extensions that are focused on solving several of the common use cases of multi-tenant, SaaS (Software as a Service) applications that Keycloak does not solve out of the box.
I often read questions here and on the mailing list about how to support different "organizations" (or "tenants") in a single realm. There is no one approach that solves all of the use cases, but this is a solution that has worked well for several customers with public cloud, SaaS applications.
https://github.com/p2-inc/keycloak-orgs
Some of the features:
- **Organizations** are "tenants" or "customers" as commonly used. A Realm can have multiple Organizations.
- **Memberships** are the relationship of Users to Organizations. Users may be members of multiple Organizations. These relationships can be used in the token via a mapper.
- **Roles** are mechanisms of role-based security specific to an Organization, much like Keycloak Realm Roles and Client Roles. In addition to a set of standard roles related to Organization data visibility and management, administrators can create Roles unique to an organization. Users who are Members of Organizations can be granted that Organization's Roles. These relationships can be used in the token via a mapper.
- **Invitations** allow Users and non-Users (by email) to be invited to join an Organization. Invitations can be created by administrators or Organization members with permission. A custom authenticator processes accepting invitations and automatic organization membership.
- **Identity Providers** provide a subset of the Keycloak IdP APIs that allows Organization administrators to manage their own IdP.
Please refer to the [README](https://github.com/p2-inc/keycloak-orgs/blob/main/README.md) in the repo for more information.
A variation of this code has been built, enhanced and used in production for over two years. I made a few changes in the process of preparing the code for open source, so please let me know if you find any problems.
Enjoy!
Reply all
Reply to author
Forward
0 new messages