6:16 a.m.
Hello Litom, sorry for late response, hope it's still relevant,
As an alternative, you could try what is sometimes called "soft-tenancy", which
is basically a single-realm based solution with a number of tricks to emulate
multi-tenancy.
Here are the key points:
- use single realm for all tenants;
- model your tenants as groups, use group membership to assign users to tenants. This has
advantage over multi-realm approach since it allows many-to-many user-tenant relationship
(the same for client-tenant BTW);
- establish client-tenant relationship using client attributes, or group attributes, or
naming convention;
- use custom authenticator to enforce tenant-client restrictions;
- if you need to "scope" your session to a particular tenant, e.g. for login
screen branding, use custom OpenID scope parameter like this: "scope=openid email
profile tenant:XXX"
- use custom authenticator to parse tenant ID and attach it to user session;
- if needed, use custom protocol mapper to put tenant ID back into tokens;
- if needed, use custom login forms provider + custom theme to brand login screen, see [1]
(the same for account and email themes).
Don't hesitate to ask any further questions.
[1] https://github.com/dteleguin/keycloak-dynamic-branding
Good luck,
Dmitry Telegin
Carretti Consulting OÜ | Keycloak Consulting and Training
Sepapaja 6, Tallinn 15551, Estonia | info(a)carretti.pro
On Mon, 2019-09-23 at 10:14 +0300, Litom Segal wrote:
We are considering using Keycloack in a multi-tenant fashion.
Each of our customer's account has its own users, and applications
installed, and we also provide services API's consumed by various clients.
We will have a large number of tenants.
I found an open issue from 2017 that mentions that Keycloak may have some
scalability issues with a large number of realms.
https://issues.jboss.org/browse/KEYCLOAK-4593
And also this thread from 2016,
https://lists.jboss.org/pipermail/keycloak-user/2016-October/008033.html,
that states that "Keycloak was not designed to support multi-tenancy
directly."..."In that regards we have never tested with high amounts of
realms as we expect there to be few realms (up to 10 most likely)."
I was wonder if there was any progress on the multi-tenancy use case, and
are there any best practices on how to setup Keycloack to support it.
On the other hand, is there any other approach to handle our use-case?
Thanks,
Litom
--
Litom Segal
Software Engineer
T: +972-74-700-4097
<https://www.linkedin.com/company/164748> <https://twitter.com/liveperson>
<https://www.facebook.com/liveperson/?ref=bookmarks>
Our mission is to make life easier by transforming how people communicate
with brands. <https://liveperson.docsend.com/view/drieh2u>