Hi,
*1) introduction*
I have a multi-tenant architecture deployed with keycloak.
At first, to investigate multi-tenant architecture, I have followed what
is available within keycloak:
documentation
*
https://www.keycloak.org/docs/latest/securing_apps/index.html#_multi_tenancy
examples:
*
https://github.com/keycloak/keycloak/tree/master/examples/multi-tenant
The same application is deployed in both tenants with
* http://localhost:8080/multitenant/tenant1 and login as
user-tenant1, password user-tenant1
*
http://localhost:8080/multitenant/tenant2 and login as user-tenant2,
password user-tenant2
When you specify
http://localhost:8080/multitenant/tenant1, you are
redirected to tenant1, and you need to authenticate.
*2) description of the problem*
The issue I am facing, is that I have a customer client application,
which can redirected to several diffrent realms.
The realm selction is based on the email address.
* user1(a)foo.com ---> should redirect to realm foo
* user2(a)bar.com ---> shou0dl redirect to realm bar
In fact, the email analsys shoudl redirect to the correct realm (foo or
bar , or more).
Once I have the login screen of the corresponding realm1, it is the as
in /introduction/, where user authenticates normally in his specific
tenant.
*3) Authentication workflow requirement*
In fact the authentication workflow process should be as follows:
*step1*
* General welcome panel
* the user enter his email address
* based on the analysis of his welcome address, the users is
redirected to a specific authentication realm (foo or bar or more)
*step 2*
* The user enter is login/password in realm login authentication screen
After analysis, it sounds like that the keycloak authentication process
needs to be updated/modified with
1. adding an extra additional step (which is a general form asking
for email)
2. based on teh email analysis, the corresponding tenant login
screen is presented to the tenant
3. the user authenticates to the tenant with his login/password.
*4) How to move forward*
For information, Azure and atlassian already implements such a
redirection mechanism in SAAS multi tenant architecture.
Keycloak documentation does not seem to mention about such a possibility
to tailor "out of the box" the authentication workflow to our needs.
Could the mechanism described above being achieved by customizing the
authentication workflow by developing a specific authentication SPI
plugin which could handles the both steps mentioned above ?
Does this approach sounds correct to you, or is it something to rule out ?
Or woudl you advise another approach ?
Tkx for your help.
Regards,
Olivier
--
<
http://www.janua.fr/images/logo-big-sans.png><http://www.janua.fr/i...
<
http://www.janua.fr/images/6g_top.gif>
Olivier Rivat
CTO
orivat(a)janua.fr <mailto:dchikhaoui@janua.fr>
Gsm: +33(0)682 801 609
Tél: +33(0)489 829 238
Fax: +33(0)955 260 370
http://www.janua.fr <
http://www.janua.fr/>
<
http://www.janua.fr/images/6g_top.gif>