[keycloak-user] Multiple User Storage Providers

Hi Keycloak users, I'm looking for tips on how to migrate from mod_auth_kerb to Keycloak. I have two Kerberos realms, and one is a subset of the other: DOMAIN.ORG and INTERNAL.DOMAIN.ORG. The mod_auth_kerb handles this scenario beautifully and I simply have a service principal for each Kerberos realm in the keytab and Apache httpd will login the user if they are in either of the Kerberos realms. For Keycloak adding two Kerberos user storage providers, one at priority 1, and another at priority 2 doesn't seem to work. Only the first one used. What are other people doing to handle this? Creating a custom User Storage Provider? Client side multitenancy? Perhaps if I use two LDAP servers instead of two KDCs it could work (I assume from the priority field of user storage provider API that something must be allowed to be paired together)? Thanks, Ryan