[keycloak-user] Saas muti-tenant architecture with multi-step authentication process

Olivier Rivat orivat at janua.fr
Wed Jul 25 18:04:04 EDT 2018 

Hi,

Any update/feedback ?


Regards,

Olivier



Le 24/07/2018 à 18:46, Olivier Rivat a écrit :
>
>
> Hi,
>
>
> *1) introduction*
>
> I have a multi-tenant architecture deployed with keycloak.
> At first, to investigate multi-tenant architecture, I have followed 
> what is available within keycloak:
>
> documentation
>
>   * https://www.keycloak.org/docs/latest/securing_apps/index.html#_multi_tenancy
>
>
>
> examples:
>
>   * https://github.com/keycloak/keycloak/tree/master/examples/multi-tenant
>
>
> The same application is deployed in both tenants with
>
>   * http://localhost:8080/multitenant/tenant1 and login as
>     user-tenant1, password user-tenant1
>   * http://localhost:8080/multitenant/tenant2 and login as
>     user-tenant2, password user-tenant2
>
>
> When you specify http://localhost:8080/multitenant/tenant1, you are 
> redirected to tenant1, and you need to authenticate.
>
>
> *2) description of the problem*
>
> The issue I am facing, is that I have a customer client application, 
> which can redirected to several diffrent realms.
>
> The realm selction is based on the email address.
>
>   * user1 at foo.com ---> should redirect to realm foo
>   * user2 at bar.com ---> shou0dl redirect to realm bar
>
>
> In fact, the email analsys shoudl redirect to the correct realm (foo 
> or bar , or more).
>
> Once I have the login screen of the corresponding realm1, it is the as 
> in /introduction/, where user authenticates normally in his specific 
> tenant.
>
>
> *3) Authentication workflow requirement*
>
> In fact the authentication workflow process should be as follows:
>
> *step1*
>
>   * General welcome panel
>   * the user enter his email address
>   * based on the analysis of his welcome address, the users is
>     redirected to a specific authentication realm (foo or bar or more)
>
>
> *step 2*
>
>   * The user enter is login/password in realm login authentication screen
>
>
>
> After analysis, it sounds like that the keycloak authentication 
> process needs to be updated/modified with
>
>     1. adding an extra additional step (which is a general form asking
>     for email)
>
>     2. based on teh email analysis, the corresponding tenant login
>     screen is presented to the tenant
>     3. the user authenticates to the tenant with his login/password. 
>
>
>
> *4) How to move forward*
>
>
> For information, Azure and atlassian already implements such a 
> redirection mechanism in SAAS multi tenant architecture.
> Keycloak documentation does not seem to mention about such a 
> possibility to tailor "out of the box" the authentication workflow to 
> our needs.
>
> Could the mechanism described above being achieved by customizing the 
> authentication workflow by developing a specific authentication SPI 
> plugin which could handles the both steps mentioned above ?
>
> Does this approach sounds correct to you, or is it something to rule out ?
>
> Or woudl you advise another approach ?
>
> Tkx for your help.
>
>
> Regards,
>
> Olivier
>
>
>
>
> -- 
>
>
> <http://www.janua.fr/images/logo-big-sans.png><http://www.janua.fr/images/LogoSignature.gif>
>
> 	<http://www.janua.fr/images/6g_top.gif>
> 	
> Olivier Rivat
> CTO
> orivat at janua.fr <mailto:dchikhaoui at janua.fr>
> Gsm: +33(0)682 801 609
> Tél: +33(0)489 829 238
> Fax: +33(0)955 260 370
> http://www.janua.fr <http://www.janua.fr/>
> 	<http://www.janua.fr/images/6g_top.gif>
>
>

-- 


<http://www.janua.fr/images/logo-big-sans.png><http://www.janua.fr/images/LogoSignature.gif>

	<http://www.janua.fr/images/6g_top.gif>
	
Olivier Rivat
CTO
orivat at janua.fr <mailto:dchikhaoui at janua.fr>
Gsm: +33(0)682 801 609
Tél: +33(0)489 829 238
Fax: +33(0)955 260 370
http://www.janua.fr <http://www.janua.fr/>
	<http://www.janua.fr/images/6g_top.gif>

More information about the keycloak-user mailing list