[keycloak-user] Saas muti-tenant architecture with multi-step authentication process

Hi, *1) introduction* I have a multi-tenant architecture deployed with keycloak. At first, to investigate multi-tenant architecture, I have followed what is available within keycloak: documentation * https://www.keycloak.org/docs/latest/securing_apps/index.html#_multi_tenancy examples: * https://github.com/keycloak/keycloak/tree/master/examples/multi-tenant The same application is deployed in both tenants with *  http://localhost:8080/multitenant/tenant1 and login as user-tenant1, password user-tenant1 * http://localhost:8080/multitenant/tenant2 and login as user-tenant2, password user-tenant2 When you specify http://localhost:8080/multitenant/tenant1, you are redirected to tenant1, and you need to authenticate. *2) description of the problem* The issue I am facing, is that I have a customer client application, which can redirected to several diffrent realms. The realm selction is based on the email address. * user1(a)foo.com ---> should redirect to realm foo * user2(a)bar.com ---> shou0dl redirect to realm bar In fact, the email analsys shoudl redirect to the correct realm (foo or bar , or more). Once I have the login screen of the corresponding realm1, it is the as in /introduction/, where user authenticates normally in his specific tenant. *3) Authentication workflow requirement* In fact the authentication workflow process should be as follows: *step1* * General welcome panel * the user enter his email address * based on the analysis of his welcome address, the users is redirected to a specific authentication realm (foo or bar or more) *step 2* * The user enter is login/password in realm login authentication screen After analysis, it sounds like that the keycloak authentication process needs to be updated/modified with 1. adding an extra additional step (which is a general form asking for email) 2. based on teh email analysis, the corresponding tenant login screen is presented to the tenant 3. the user authenticates to the tenant with his login/password. *4) How to move forward* For information, Azure and atlassian already implements such a redirection mechanism in SAAS multi tenant architecture. Keycloak documentation does not seem to mention about such a possibility to tailor "out of the box" the authentication workflow to our needs. Could the mechanism described above being achieved by customizing the authentication workflow by developing a specific authentication SPI plugin which could handles the both steps mentioned above ? Does this approach sounds correct to you, or is it something to rule out ? Or woudl you advise another approach ? Tkx for your help. Regards, Olivier -- <http://www.janua.fr/images/logo-big-sans.png><http://www.janua.fr/i... <http://www.janua.fr/images/6g_top.gif> Olivier Rivat CTO orivat(a)janua.fr <mailto:dchikhaoui@janua.fr> Gsm: +33(0)682 801 609 Tél: +33(0)489 829 238 Fax: +33(0)955 260 370 http://www.janua.fr <http://www.janua.fr/> <http://www.janua.fr/images/6g_top.gif>