[keycloak-user] Multi Tenant Multi Application SSO

[jay.bhatt]

hello,

Please pardon my limited knowledge of keycloak. I have tried my best to
learn through online resources (forums, blogs, youtube). However I could not
find much info for my specific use case -

I have a set of cloud multi tenant saas applications/services. (also refer
the image attached herewith).

Main application would allow our customers to register their account. Here
account will represent the organisation to which the customer belongs. 

Also, the person who registered the account will be the first user (Admin)
in that newly registered account. He can then invite the other users through
email to his org account. 

An user can be invited from more than one organisation accounts.

So we have one application multiple org accounts each having multiple users.

Some organisation could have their own requirements for authentication (e.g.
LDAP, SAML)

My questions are -

1) Do I need to create one realm and multiple groups (one group per
organisation) Or i need one realm per organisation? 

2) If I have one realm only then can i have different authentication per
organisation?

3) Which is the suggested way for single sign on in my use case? i.e. Should
i go for IdP originated or SP originated SSO?

4) Should i have one domain for all tenants and ask for organisation
information at user login? or should i use subdomain to separate the
tenants? 

Based on the responses, I may have further questions.

Thank you very much.

<http://keycloak-user.88327.x6.nabble.com/file/n3255/Capture.jpg> 



--
View this message in context: http://keycloak-user.88327.x6.nabble.com/Multi-Tenant-Multi-Application-SSO-tp3255.html
Sent from the keycloak-user mailing list archive at Nabble.com.