[keycloak-dev] Multiple tenants in a single realm

Shanon Levenherz shanonvl at gmail.com
Thu Jun 1 11:33:03 EDT 2017

Hi there,

I’m looking to leverage Keycloak as the primary IdP for our SaaS platform.   We have many tenants, each with their own sub-tenants ( their customers ) and would like to provide them with the ability to administer themselves (and enable sub-tenant users to admin the sub-tenant, etc).     Based on my current research, which includes the multi-tenant example in the GitHub repo, it appears that multiple tenants are supported via separate realms.    My current thinking is that I’d like to use a single realm as I’d like for a platform administrator (like myself) to be able to manage all users in a single place, use a group hierarchy to support multiple tenants, and apply roles to specific users in a group to eg. administer the users or create a sub group for a new tenant.

Something like this:

|- User 1 (user-admin role)
|- Tenant 1 Group
|  |
|  |- User 1.1 (user-admin role)
|  |- User 1.2
|  |- …
|  |- User 1.n
|- Tenant 2 Group
|  |
|  |- User 2.1 (user-admin role)
|  |- User 2.1
|  |- …
|  |- User 2.n
|  |
|  |- Tenant 3 Group
|  |
|  |- User 3.1 (user-admin role)
|  |- User 3.2
|  |- …
|  |- User 3.n

From the above we’re looking for:

* User 1 is the realm/platform administrator and has full control over all groups/users
* User 1.1 is the administrator for Tenant 1
* User 2.1 is the administrator for Tenants 2 and 3
* User 3.1 is the administrator for Tenant 3

I came across this thread <http://lists.jboss.org/pipermail/keycloak-user/2015-October/003359.html> and specifically this comment from Bill Burke:
>I like that idea.  A better alternative might be that each group has an 
>"user-admin" role.  If a user has the "user-admin" role of the group, it 
>can administer users in that group and assign roles defined in that 
>group.  One thing to really think about is, what about sub-groups.  Can 
>an admin of the parent group administer sub groups?
This post is from October 2015, so I’m curious if the ability to grant specific roles to specific users in a specific group has been implemented at all?   I can’t find anything about it in the docs.  I also just noticed this JIRA issue <https://issues.jboss.org/browse/KEYCLOAK-3168> but am not sure if it’s the same thing.   

Disclaimer:  I’m new to Keycloak so maybe am misunderstanding and/or going about this incorrectly… please let me know if I can provide more information; I can provide a more complete description of my goals / requirements if that would help.   

Thank you! 


More information about the keycloak-dev mailing list