[keycloak-user] Keycloak realm detection from email domain

[Scott Hezzell]

Hi


I am building a multi-tenant mobile application that uses keycloak as a SSO server.  We will pre-load users in keycloak using their email address as their username with a separate realm for each tenant. When a user logs into the mobile app I need to detect the realm from a user's email domain and redirect to the appropriate authorisation end point for the realm. Has anyone faced a similar problem?


My thoughts at the moment is to build a proxy api that the mobile application redirects to that prompts the user for their email address, look up the configured tenant form the email domain and redirects to the appropriate realm's login page passing the mobile app credentials it passes to the proxy api and the entered user email as a login_hint.


Can anyone see any issues with this approach? Or a suggest a better approach?


Thanks

Scott